b' U.S. Department of the Interior\n Office of Inspector General\n\n\n\n\n            AUDIT REPORT\n\n\n  GENERAL AND APPLICATION CONTROLS\nOVER AUTOMATED INFORMATION SYSTEMS,\n       OFFICE OF SURFACE MINING\n    RECLAMATION AND ENFORCEMENT\n\n              REPORT NO. 00-I-138\n               DECEMBER 1999\n\n\n\n\n                             -\n\x0c                                                                      A-IN-OSM-00 l-99-M\n\n\n             United States Department of the Interior\n                               OFFICE OF INSPECTOR GENERAL\n                                     Washington, D.C. 20240\n\n                                                              DEC 2 I IS99\n\n                                    AUDIT REPORT\n\nMemorandum\n\nTo:       Director, Office of Surface Mining Reclamation and Enforcement\n\nFrom:     Robert J. Williams\n          Assistant Inspector\n\nSubject: Audit Report on General and Application Controls Over Automated\n         Information Systems, Office of Surface Mining Reclamation and Enforcement\n           (No. 0 0 - I - 1 3 8 )\n\n\n                                    INTRODUCTION\n\nThis report presents the results of our audit of the Office of Surface Mining Reclamation and\nEnforcement\xe2\x80\x99s general and application controls over its automated information systems. The\nobjective of this audit was to determine whether Surface Mining had effective general and\napplication controls over its automated information systems and whether the automated\ninformation systems were operating in compliance with the Federal Financial Management\nImprovement Act. We performed this audit to support the Office of Inspector General\xe2\x80\x99s\nopinion on the financial statements of Surface Mining by evaluating the reliability of the\ngeneral and application controls over computer-generated data that support Surface Mining\xe2\x80\x99s\nannual financial statements.\n\nBACKGROUND\n\nThe Office of Surface Mining Reclamation and Enforcement was created with the enactment\nof the Surface Mining Control and Reclamation Act of 1977 (Public Law 95-87). The\npurpose of Surface Mining is to implement the provisions of the Surface Mining Control and\nReclamation Act and to ensure that society and the environment are protected from the\nadverse effects of surface and subsurface coal mining operations. Surface Mining meets this\nmission through programs authorized by Title IV (Abandoned Mine Reclamation) and Title\nV (Control of the Surface Effects of Coal Mining) of the Surface Mining Control and\nReclamation Act. Surface Mining\xe2\x80\x99s activities include issuing mine permits, inspecting mine\noperations, enforcing mine standards, ensuring the effectiveness ofauthorized state and tribal\nregulatory programs, and promoting reclamation of surface mine lands.\n\x0cSurface Mining has its headquarters in Washington, D.C., and has decentralized its\nregulatory and enforcement mission through the Appalachian Regional Coordinating Center,\nin Pittsburgh, Pennsylvania; the Mid-Continent Regional Coordinating Center, in Alton,\nIllinois; and the Western Regional Coordinating Center, in Denver, Colorado. Additionally,\nSurface Mining maintains a close working relationship with governments of the coal-\nproducing states, environmental protection groups, and mission support contractors.\n\nSurface Mining is dependent on automated information systems to support its mission and\nfinancial statements. The Division of Information Systems Management is responsible for\nfacilitating the efficient and,effective use of information and information technologies in\nsupport of information resources management and Surface Mining\xe2\x80\x99s mission. The\ninformation resources management responsibilities are shared by various Surface Mining\norganizations, including the Division of Information Systems Management, the Division of\nFinancial Management, assistant directorates, and regional and field offices. Nationwide,\nautomated data processing support is provided through local area network-based\nmicrocomputer workstations, including Windows NT, Silicon Graphics, and Sun Solar-is\nUNIX. The local area networks are interconnected by Surface Mining\xe2\x80\x99s wide area network.\n\nThe data center responsible for inputting, recording, classifying, and reporting on Surface\nMining\xe2\x80\x99s financial business is located at the Division of Financial Management in Denver.\nThe Division operates and maintains two minicomputer platforms, a Hewlett Packard and\na Sun Solaris, to support Surface Mining\xe2\x80\x99s financial management functions. The Hewlett\nPackard computer hosts Surface Mining\xe2\x80\x99s primary financial management system, the\nAdvanced Budget/Accounting Control and Information System (ABACIS). In addition, the\nHewlett Packard computer hosts other financial applications that affect the generation of\nfinancial statement information as follows:\n\n          -   The   Grants Information Fund Tracking System (GIFTS)\n          -   The   Civil Penalty Accounting Control System (CPACS)\n          -   The   Audit Fee Billing and Collection System (AFBACS)\n          -   The   Synergistic Acquisition Tracking and Information Network (SATIN)\n\nThe Sun Solaris computer hosts the Fee Billing and Collection System (FEEBACS)\napplication, which generates records for posting to ABACIS and affects the generation of\nfinancial statement information. In addition, FEEBACS supports Surface Mining\xe2\x80\x99s mission\ncritical Applicant Violator System (AVS), which is an independent, stand-alone system that\ndoes not generate data for or impact Surface Mining\xe2\x80\x99s financial records and statements.\nAlso, the Division operates a Windows NT computer network that distributes personnel data\nto Surface Mining\xe2\x80\x99s human resource and budget personnel and provides financial\nmanagement data to Surface Mining\xe2\x80\x99s users.\n\nSystems security policies for Surface Mining are established by its Information Technology\nSecurity Officer. System security administration for the minicomputers, local area networks,\nand the wide area network is the responsibility of the information technology security\nofficers at Surface Mining offices and facilities.\n\n\n                                              2\n\x0cSCOPE OF AUDIT\n\nWe reviewed Surface Mining\xe2\x80\x99s general controls (the policies and procedures for ensuring\nthat information systems operate properly) that were in place for its automated information\nsystems. We did not review the application controls (the controls over input, processing, and\noutput of data) because of the weaknesses we found in the general controls. The\neffectiveness of the general controls determines the effectiveness of the application controls.\nWhen the general controls are not effective, application controls can be made ineffective\nbecause the application controls can be bypassed or modified.\n\nWe reviewed the general controls in six major areas: security program development, logical\nand physical access, change management, separation of duties, system software, and service\ncontinuity. To accomplish our objective, we interviewed Surface Mining and contractor\npersonnel, reviewed systems documentation, observed and became familiar with data center\noperations and network components, analyzed systems security, and evaluated service\ncontinuity procedures and testing. In addition, we reviewed the software maintenance\nprocedures. During the audit, we used several software tools to identify vulnerabilities in\nSurface Mining\xe2\x80\x99s automated information systems and networks. These tools were used to\nperform a variety of functions, such as monitoring and analyzing user and system activity,\nauditing system configurations and vulnerabilities, accessing the integrity ofcritical systems\nand data files, and operating system audit-trail management. Because our review was limited\nto evaluating the adequacy of general controls over automated information systems, we did\nnot evaluate the effectiveness of manual control procedures that may have operated as\ncompensating controls for the automated information systems\xe2\x80\x99 general controls.\n\nOur audit, which was conducted during January through April 1999 at Surface Mining\xe2\x80\x99s\nheadquarters and the data center in Denver, Colorado, was made in accordance with the\n\xe2\x80\x9cGovernment Auditing Standards,\xe2\x80\x9d issued by the Comptroller General of the United States.\nAccordingly, we included such tests of records and other auditing procedures that were\nconsidered necessary under the circumstances.\n\nAs part of our audit, we evaluated the internal controls that could adversely affect Surface\nMining\xe2\x80\x99s automated information systems. The control weaknesses that we found are\nsummarized in the Results of Audit section and detailed in Appendix 1 of this report. Based\non our determination of the inadequacy of the general controls taken as a whole, we believe\nthat the weaknesses in Surface Mining\xe2\x80\x99s general controls over its automated information\nsystems should be reported as a \xe2\x80\x9creportable condition\xe2\x80\x9d in Surface Mining\xe2\x80\x99s annual financial\nstatements for fiscal year 1999. In addition, Surface Mining did not have security plans for\nits 13 sensitive systems. We believe that Surface Mining should report the lack of security\nplans for the systems as a material weakness in its annual assurance statements on\nmanagement controls for fiscal year 1999. Because of inherent limitations in any system of\ninternal controls, losses, noncompliance, or misstatements may occur and not be detected.\nWe also caution that projecting our evaluations to future periods is subject to the risk that\ncontrols or the degree of compliance with the controls may diminish.\n\n\n                                               3\n\x0cPRIOR AUDIT COVERAGE\n\nDuring the past 5 years, neither the General Accounting Office nor the Office of Inspector\nGeneral has issued any reports related to the Office of Surface Mining Reclamation and\nEnforcement\xe2\x80\x99s general controls over its automated information systems.\n\n                              RESULTS OF AUDIT\nWe concluded that the Office of Surface Mining Reclamation and Enforcement\xe2\x80\x99s general\ncontrols over its automated information systems were not effective. Specifically, Surface\nMining did not have an adequate security program; did not have controls over access to\nautomated information systems resources, systems software, separation of duties, and\nsoftware development and change management; and did not have assurance of continued\noperations in the event of a disaster or system failure. Office of Management and Budget\nCircular A- 130, \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d and National Institute of\nStandards and Technology publications require Federal agencies to establish and implement\ncomputer security and management and internal controls to improve the protection of\ninformation in the computer systems of executive branch agencies. Additionally, the\nCongress enacted laws, such as the Privacy Act of 1974 and the Computer Security Act of\n1987, to improve the security and privacy of sensitive information in computer systems by\nrequiring executive branch agencies to ensure that the level of computer security and controls\nover sensitive information is adequate. The Computer Security Act defines \xe2\x80\x9csensitive\xe2\x80\x9d data\nas \xe2\x80\x9cany information the loss, misuse, or unauthorized access to or modification of which\ncould adversely affect the national interest or the conduct of Federal programs, or the privacy\nto which individuals are entitled under the Privacy Act.\xe2\x80\x9d Further, the Department of the\nInterior and Surface Mining have issued policies and procedures to implement general\ncontrols to protect sensitive data in automated information systems. However, the general\ncontrols were not adequate because Surface Mining management had not (1) established\nnecessarypolicies and procedures for the controls, (2) assigned responsibilities for ensuring\nthat policies and procedures were developed and followed, and (3) held officials accountable\nfor noncompliance with the established controls. The lack of adequate controls increased the\nrisk of unauthorized access and modifications to and the disclosure of Surface Mining data,\ntheft or destruction of Surface Mining software and sensitive information, and loss of critical\nSurface Mining systems and functions in the event of a disaster or system failure.\n\nOverall, we identified 16 weaknesses and made 38 recommendations for improving the\ngeneral controls over Surface Mining\xe2\x80\x99s automated information systems. A summary of the\nweaknesses noted in the six major areas reviewed is provided in the paragraphs that follow,\nand specific details of the weaknesses and our respective recommendations to correct these\nweaknesses are in Appendix 1.\n\x0cSecurity Program\n\nWe found that Surface Mining did not have an automated information systems security\nprogram which identified and addressed all risks affecting sensitive and financial data, did\nnot have security plans for its 12 sensitive automated information systems, and did not have\nadequate security-related personnel policies and procedures for Surface Mining employees\nand contractors. As a result, there was an increased risk that sensitive data may be impaired\nor compromised by individuals and that data may be inadvertently disclosed, destroyed, or\nerroneously modified. We made nine recommendations to address these weaknesses.\n\nAccess Controls\n\nWe found that Surface Mining did not have adequate controls over access to its automated\ninformation systems. Specifically, Surface Mining did not classify its automated information\nsystems resources to determine the level of security that should be provided, control the\nlevels of access granted to systems users, limit the number of log-in attempts allowed for\naccess to computer resources as required by Department of the Interior standards, control\npasswords and password settings, control public user access to the Novell network and file\nservers, and protect its local area networks. As a result, there was an increased risk that\nsensitive data maintained on the automated information systems were vulnerable to\nunauthorized access, manipulation, and disclosure. We made 14 recommendations to\naddress these weaknesses.\n\nSystem Software Controls\n\nWe found that the controls over system software did not detect and determine inappropriate\nuse and address vulnerabilities in the operating systems. Specifically, available computer\nsystems audit tools to ensure integrity over systems processing and data were not used, some\nsystems audit trails were not implemented and when implemented were not reviewed, and\nvendor updates to operating systems software were not implemented. As a result, there was\nan increased risk that inappropriate systems settings and processing would not be identified\nand recorded. Also, without periodic reviews of the systems\xe2\x80\x99 audit trails, there was an\nincreased risk that processing problems or unauthorized activities may not be detected or\ndetected in a timely manner. Additionally, there was an increased risk that operating\nsystems\xe2\x80\x99 vulnerabilities addressed by the vendor would not be corrected. We made six\nrecommendations to address these weaknesses.\n\nSeparation of Duties\n\nWe found that Surface Mining management did not separate the duties of system security\nadministrators from reviewers and did not separate the duties ofthe application programmers\nfrom systems users. As a result, there was an increased risk that inappropriate actions by\nsecurity administrators would not be detected or detected timely and that accidental or\nintentional actions by programmers could threaten the integrity of Surface Mining\xe2\x80\x99s data and\ndisrupt systems processing. We made two recommendations to address these weaknesses.\n\n                                              5\n\x0cSoftware Development and Change Management\n\nWe found that Surface Mining did not ensure that changes to applications software were\nauthorized, approved, and tested before being moved into production. As a result, there was\nan increased risk that critical sensitive applications software changes were not made and that\napplications would not perform as intended. We made three recommendations to address\nthese weaknesses.\n\nService Continuity\n\nWe found that Surface Mining did not develop a continuity of operations plan for its\ntelecommunications links, did not finalize plans for its facilities and data center, and did not\nhave an incident response plan or team. As a result, there was an increased risk that critical\nsystems or data may not be recovered in the event of a disaster or system failure. We made\nfour recommendations to address these weaknesses.\n\nOther Matters\n\nDuring our audit, we also found that the environmental controls at Surface Mining\xe2\x80\x99s\nInformation Systems Management computer operations room were not adequate to safeguard\nthe computer resources. For example, the air conditioning system was not maintaining an\nappropriate room temperature; the carpeting was dirty and worn, which produces dust and\ndebris; and the overall condition of the room was unkempt. The National Institute of\nStandards and Technology\xe2\x80\x99s \xe2\x80\x9cAn Introduction to Computer Security: The NIST Handbook\xe2\x80\x9d\nstates that computer resources, such as hardware, software, and magnetic media, require\nenvironmental protection to ensure that the computer resources are safeguarded from\nexcessive temperatures, dust, and debris.\n\nOffice of Surface Mining Reclamation and Enforcement Response and\nOffice of Inspector General Reply\nIn the September 17, 1999, response (Appendix 3) to the draft report from the Director,\nOffice of Surface Mining Reclamation and Enforcement, Surface Mining concurred with the\n38 recommendations. Based on the response, we consider Recommendations K.2, M. 1, M.2,\nN.2,0.2,0.3, and P. 1 resolved and implemented and Recommendation K. 1 resolved but not\nimplemented. Accordingly, Recommendation K.l will be forwarded to the Assistant\nSecretary for Policy, Management and Budget for tracking of implementation (see Appendix\n4). Regarding Recommendation B.3, we agree that the actions taken by Surface Mining to\ndevelop security plans for its mission critical systems are sufficient, although the plans are\nnot complete; therefore, Surface Mining does not need to report this as a material weakness\nin the annual assurance statement on management controls for fiscal year 1999. Thus, we\nconsider this recommendation resolved. Also based on the response, we request the dates\nand titles of the individuals responsible for implementing the remaining 30\nrecommendations.\n\n                                               6\n\x0cSurface Mining has completed or has begun actions needed to implement the 38\nrecommendations. Specifically, the draft publication \xe2\x80\x9cInformation Systems Security\nProgram Directive\xe2\x80\x9d addresses many of our recommendations for developing policies and\nprocedures to ensure that Surface Mining\xe2\x80\x99s automated systems are adequately safeguarded.\nAlthough Surface Mining has initiated actions to correct the general control weaknesses\nidentified in this report, many of these actions were not completed by the end of fiscal year\n1999. Therefore, we believe that the weaknesses in Surface Mining\xe2\x80\x99s general controls over\nits automated information systems should be reported as a \xe2\x80\x9creportable condition\xe2\x80\x9d in Surface\nMining\xe2\x80\x99s annual financial statements for fiscal year 1999.\n\nSurface Mining\xe2\x80\x99s specific comments to some of the recommendations are in the paragraphs\nthat follow.\n\n    Recommendation A.1. Surface Mining said that it had completed a risk assessment for\neach of its 16 mission critical systems and that these risk assessments were included in its\nresponse. However, the response did not include risk assessments for the Administrative\nRecords Management System (ARMS); the Technical Information Processing System\n(TIPS); and the Work Assignment Tracking System/Mine Information, Project Planning\nSystem (WATSMIPPS). Therefore, Surface Mining should complete risk assessments for\nthese systems and provide target dates and titles of officials responsible for implementation.\n\n    Recommendation B.l. Surface Mining requested that we delete the Payroll/Personnel\nData Entry (PAY/PERS) from our list of 13 sensitive systems because the System \xe2\x80\x9cis no\nlonger used\xe2\x80\x9d by Surface Mining. Also, Surface Mining identified four additional systems\nrequiring security plans. We have revised Appendix 2 to reflect these changes.\n\n    Recommendation B.2. Surface Mining said that it concurred with the recommendation;\nhowever, Surface Mining also said that it will elevate the information systems security\nfunction to report to the Deputy Chief Information Officer rather than to the Chief\nInformation Officer (as we had recommended). We believe that this action meets the intent\nof the recommendation, but a target date and title of the official responsible for\nimplementation should be provided.\n\n    Recommendation F.5. Surface Mining stated that the systems\xe2\x80\x99 log-in warning message\ncannot be the first screen displayed because of computer \xe2\x80\x9chardware and operating system\narchitecture.\xe2\x80\x9d However, Surface Mining stated that the log-in warning message will be\nplaced as close to the first screen as the hardware and operating system will allow. We\nbelieve that this action meets the intent of the recommendation, but a target date and title of\nthe official responsible for implementation should be provided.\n\n    Recommendation K.3. Surface Mining said that the minicomputer platforms used by\nthe Division of Financial Management maintain system logs and that the logs are retained\nfor 6 months. Surface Mining also said that the audit function on the Windows NT and the\nNovell servers has been \xe2\x80\x9cenabled.\xe2\x80\x9d However, Surface Mining needs to implement policies\nand procedures to ensure that the system logs are used and that the logs are controlled by\n\n                                               7\n\x0crequest that Surface Mining provide an action plan that includes a target date and title of the\nofficial responsible for implementing the policies and procedures.                       ..\n\nIn accordance with the Departmental Manual (360 DM 5.3) we are requesting a written\nresponse to this report by January 24, 2000. The response should provide the information\nrequested in Appendix 4.\n\nSection 5(a) of the Inspector General Act (Public Law 95-452, as amended) requires the\nOffice of Inspector General to list this report in its semiannual report to the Congress. In\naddition, the Office of Inspector General provides copies of audit reports to the Congress.\n\nWe appreciate the assistance of Surface Mining personnel in the conduct of our audit.\n\n\n\n\n                                               8\n\x0c                                                                              APPENDIX 1\n                                                                               Page 1 of 30\n\n\nDETAILS OF WEAKNESSES AND FtECOMMENDATIdNS\n\nSECURITY PROGRAM\n\nControl Objective: The control objective for the security program is to establish the\nframework for continually managing risk, developing system security policy, assigning\nresponsibilities, and monitoring the adequacy of the entity\xe2\x80\x99s computer-related controls.\n\nA. Risk Assessments\n\nCondition: The Office ofSurface Mining Reclamation and Enforcement did not implement\n             a risk management process. Specifically, we found that:\n\n                 - Risk assessments had not been made of Surface Mining\xe2\x80\x99s computer\n             systems, applications, and computer resources.\n\n                 - No overall determination had been made of the effectiveness of the\n             technical controls implemented.\n\n                - No acceptance of the residual risk of not implementing a risk\n             management process had occurred.\n\nCriteria:    Office of Management and Budget Circular A- 130, Appendix III, \xe2\x80\x9cSecurity of\n             Federal Automated Information Resources,\xe2\x80\x9d states that adequate security\n             \xe2\x80\x9cincludes assuring that systems and applications used by the agency operate\n             effectively and provide appropriate confidentiality, integrity, and availability,\n             through the use of cost-effective management, personnel, operational, and\n             technical controls.\xe2\x80\x9d Circular A-130 further states that, although formal risk\n             analyses need not be performed, adequate security should be determined based\n             on risk management. In implementing risk management, major factors such as\n             \xe2\x80\x9cthe value of the system or application, threats, vulnerabilities, and the\n             effectiveness of current or proposed safeguards\xe2\x80\x9d should be considered. Also,\n             the National Institute of Standards and Technology\xe2\x80\x99s \xe2\x80\x9cAn Introduction to\n             Computer Security: The NIST Handbook\xe2\x80\x9d provides guidance on computer\n             security risk management. The \xe2\x80\x9cNIST Handbook\xe2\x80\x9d specifically addresses the\n             selection of safeguards to reduce risk and to accept any residual risk.\n\nCause:       Surface Mining had not developed policies and procedures to establish a risk-\n             based approach to assessing the risks to its automated information systems and\n             taking actions to manage these risks. In addition, no one was formally assigned\n             responsibility for conducting risk assessments; thus, risks to the automated\n             information systems had not been identified and managed.\n\n\n                                              9\n\x0c                                                                                APPENDIX 1\n                                                                                 Page 2 of 30\n\n                                                                                          ..\nSECURITY PROGRAM\n\nEffect:       Without identifying all significant threats and vulnerabilities to the automated\n              information systems, computer resources, and facilities, Surface Mining\xe2\x80\x99s\n              management was unable to determine the most effective measures needed to\n              protect against threats or reduce the vulnerabilities. Therefore, there was a risk\n              that critical Surface Mining resources would not be adequately protected and\n              that expensive controls would be implemented for resources which did not\n              require significant protection.\n\nRecommendations:\n\nWe recommend that the Director, Office of Surface Mining Reclamation and Enforcement:\n\n    1. Determine the risks associated with each of the systems and, based on the results of\nthe risk assessments, establish appropriate security policies and procedures.\n\n    2. Ensure that risk assessments are conducted in accordance with Federal guidelines\nwhich recommend that risk assessments support the acceptance of risk and the selection of\nappropriate controls. Specifically, the risk assessments should address significant risks\naffecting sensitive systems and major applications, appropriately identify controls\nimplemented to mitigate those risks, and formalize the acceptance of residual risk.\n\n    3. Formally assign and communicate responsibility to those individuals required to\nparticipate in assessing risks.\n\n\n\n\n                                               10\n\x0c                                                                                          APPENDIX 1\n                                                                                           Page 3 of 30\n\n                                                                                                    ..\nSECURITY PROGRAM\n\nB. System Security Plans\n\nCondition: Security plans for Surface Mining\xe2\x80\x99s 13 sensitive automated information\n           systems (the systems are listed in Appendix 2) as reported to the Department\n           of the Interior in Surface Mining\xe2\x80\x99s \xe2\x80\x9cAutomated Information Systems Security\n           Plan,\xe2\x80\x9d dated February 1998, had not been developed. Also, Surface Mining\n           had not reported the lack of security plans for the systems as a material\n           weakness in its annual assurance statement on management controls for fiscal\n           year 1999, as required by Office of Management and Budget Circular A-130,\n           Appendix III.\n\nCriteria:      The Computer Security Act of 1987 requires the development of a security plan\n               for each Federal computer system that contains sensitive information. A\n               computer security plan is designed to assist agencies in addressing the\n               protection of general support systems\xe2\x80\x99 and major applications that contain\n               sensitive information to help ensure the systems\xe2\x80\x99 integrity, availability, and\n               confidentiality. In addition, Office of Management and Budget Circular A- 130,\n               Appendix III, states that agencies without adequate security plans should\n               consider classifying the lack of security plans as a material weakness in the\n               agency\xe2\x80\x99s annual Federal Managers\xe2\x80\x99 Financial Integrity Act report to the\n               Congress. Also, the National Institute of Standards and Technology\xe2\x80\x99s Special\n               Publication 800-18, \xe2\x80\x9cGuide for Developing Security Plans for Information\n               Technology Systems,\xe2\x80\x9d states that \xe2\x80\x9c[a]11 Federal systems have some level of\n               sensitivity and require protection as part of good management practice\xe2\x80\x9d and\n               that the method of protection must be documented in a system security plan.\n\nCause:         Surface Mining management, rather than developing security plans for its 13\n               sensitive systems, said that it believed the Management Control Reviews and\n               Alternative Management Control Reviews were sufficient to meet security plan\n               requirements. In addition, because Surface Mining\xe2\x80\x99s information technology\n               security function was within the Division of Information Systems\n               Management\xe2\x80\x99s Automated Data Processing Support Team, the function did not\n               have adequate independence and authority to implement and enforce an overall\n               Surface Mining computer security program that would ensure that security\n               plans were developed for Surface Mining\xe2\x80\x99s general support systems and major\n               applications. We believe that, at a minimum, the position of Information\n               Technology Security Officer should be elevated to report directly to Surface\n               Mining\xe2\x80\x99s Chief Information Officer. Further, while Surface Mining had\n\n\n\xe2\x80\x98General support systems are an interconnected set of information resources under the same direct management\ncontrol which shares common functionality.\n\n                                                     11\n\x0c                                                                              APPENDIX 1\n                                                                               Page 4 of 30\n\n                                                                                       ..\nSECURITY PROGRAM\n             information technology security officers at other locations, most of their time\n             was spent in performing other duties.\n\nEffect:      Without automated information systems security plans, Surface Mining\xe2\x80\x99s\n             management did not have adequate assurance that the data in its sensitive\n             systems were adequately protected. In addition, without security plans for the\n             13 sensitive systems, Surface Mining had a material weakness that should be\n             reported in its annual assurance statement on management controls for fiscal\n             year 1999.\n\nRecommendations:\n\nWe recommend that the Director, Office of Surface Mining Reclamation and Enforcement:\n\n    1. Provide resources to ensure that automated information systems security plans are\ndeveloped for its general support systems and major applications in accordance with the\nComputer Security Act; Office of Management and Budget Circular A-130, Appendix III;\nand the National Institute of Standards and Technology\xe2\x80\x99s Special Publication 800-l 8.\n\n    2. Ensure that the automated information systems security function is elevated\norganizationally to report directly to Surface Mining\xe2\x80\x99s Chief Information Officer and\nformally provide the position with the authority to implement and enforce a computer\nsecurity program throughout Surface Mining.\n\n    3. Report the lack of security plans for Surface Mining\xe2\x80\x99s sensitive systems as a material\nweakness in Surface Mining\xe2\x80\x99s annual assurance statement on management controls for fiscal\nyear 1999.\n\n\n\n\n                                             12\n\x0c                                                                             APPENDIX 1\n                                                                              Page 5 of 30\n\n                                                                                     ..\nSECURITY PROGRAM\n\nC. Security-Related Personnel Policies and Procedures\n\nCondition: Surface Mining\xe2\x80\x99s security-related personnel policies and procedures did not\n           ensure systems integrity. Specifically, we found that:\n\n                 - Surface Mining personnel in public trust positions, such as computer\n            security officers, system and application programmers, and sensitive automated\n            information system owners and managers, did not have documented\n            background investigations for security clearances or did not have adequate\n            position sensitivity levels commensurate with their positjons. Also, Surface\n            Mining personnel did not have documentation to support that required periodic\n            followup background checks had been performed.\n\n                - Critical automated data processing contractor personnel, such as system\n            administrators and software management personnel, at the Division of\n            Information Systems Management did not have documented background\n            checks and security clearances.\n\nCriteria:   Office of Management and Budget Circular A-130, Appendix III, requires\n            agencies to establish and manage personnel security policies, standards, and\n            procedures that include requirements for screening individuals who (1)\n            participate in the design, development, operation, or maintenance of sensitive\n            applications or (2) have access to sensitive data. Also, the Code of Federal\n            Regulations (5 CFR 73 1.302) requires suitability reinvestigations every 5 years\n            for personnel filling high risk positions. Additionally, the Department of the\n            Interior Manual (441 DM 3) specifies that public trust positions (all positions\n            that do not have national security related duties) must be designated at \xe2\x80\x9crisk\n            levels commensurate with the public trust responsibilities and attributes of the\n            position as they relate to the efficiency of the Federal service.\xe2\x80\x9d\n\nCause:      Surface Mining did not have established policies and procedures for requiring\n            background investigations for Federal and contractor personnel filling sensitive\n            and critical public trust positions. In addition, Surface Mining did not include\n            in two of the contracts we reviewed a requirement for contractor personnel to\n            have background investigations.\n\nEffect:     Without adequate security-related personnel policies and procedures, Surface\n            Mining increases the risk that sensitive automated information systems\n            operations and data could be impaired or compromised by Federal or contractor\n            personnel.\n\n\n\n                                            13\n\x0c                                                                           APPENDIX 1\n                                                                            Page 6 of 30\n\n                                                                                    ..\nSECURITY PROGRAM\n\nRecommendations:\n\nWe recommend that the Director, Office of Surface Mining Reclamation and Enforcement:\n\n     1. Ensure that personnel security policies and procedures are developed, implemented,\nand enforced, including those for obtaining appropriate security clearances for personnel\nfilling sensitive or critical public trust positions.\n\n   2. Ensure that all automated data processing contractor employees to have proper\nbackground clearances.\n\n    3. Ensure that periodic reinvestigations are completed every 5 years on personnel who\nare in public trust high risk positions.\n\n\n\n\n                                            14\n\x0c                                                                               APPENDIX 1\n                                                                                Page 7 of 30\n\n                                                                                        ..\nACCESS CONTROLS\n\nControl Objective: The control objective for access controls is to limit or detect access to\ncomputer resources (for example, data, programs, equipment, and facilities), thereby\nprotecting these resources against unauthorized modification, loss, and disclosure.\n\nD. Resource Classifications\n\nCondition: Surface Mining had not classified its computer resources to determine the level\n           of security that should be provided.\n\nCriteria:    Office of Management and Budget Circular A-130, Appendix III, directs\n             agencies to assume that all major systems contain some sensitive information\n             which needs to be protected but to focus extra security controls on a limited\n             number o,f particularly high risk or major applications. Also, the Computer\n             Security Act requires agencies to identify systems that process sensitive data.\n\nCause:       Surface Mining did not have policies that provided for (1) information\n             resources to be classified, (2) resource classification categories to be based on\n             the need for protective controls, (3) senior-level management to review and\n             approve resource classifications, and (4) determinations of resource\n             classifications to be documented. Additionally, classification of the\n             information resources could not be achieved because a risk assessment (which\n             identifies threats, vulnerabilities, and the potential negative effects that could\n             result from disclosing confidential data or from not protecting the integrity of\n             data supporting critical transactions or decisions) had not been performed on\n             the computer applications and systems software.\n\nEffect:      If information resources are not classified according to their criticality and\n             sensitivity, there is little assurance that Surface Mining is providing the most\n             cost-effective means to protect the computer resources.\n\nRecommendation:\n\nWe recommend that the Director, Office of Surface Mining Reclamation and Enforcement,\ndevelop and implement policies to classify Surface Mining\xe2\x80\x99s computer resources in\naccordance with the results of periodic risk assessments and guidance contained in Office of\nManagement and Budget Circular A-l 30, Appendix III.\n\n\n\n\n                                              15\n\x0c                                                                              APPENDIX 1\n                                                                               Page 8 of 30\n\nACCESS CONTROLS\n\nE. Access Levels\nCondition: Surface Mining did not have adequate controls in place to ensure that access\n           levels granted to users of their automated information systems were\n           appropriate. For example, we found that 14 personnel were granted\n           \xe2\x80\x9csuper-user\xe2\x80\x9d rights to the Fee Billing and Collection System (FEEBACS).\n           Therefore, these users can manipulate FEEBACS databases, thus bypassing\n           normal transaction processing controls.\n\n            Additionally, we found that access approval documentation was not available\n            for all users on the systems. For example, based on a statistical sample of users\n            selected for each of the operating and sensitive application systems reviewed,\n            we found that access approval documentation was not available for:\n\n                - 20 (100 percent) of the users of the Novell operating system.\n\n                - 63 (80 percent) of 78 of the users of the Sun Solaris operating system.\n\n                - 3 1 (88 percent) of 35 of the users of the Windows NT operating system.\n\n                - 18 (16 percent) of 109 of the users of the financial system application.\n\n                - 20 (66 percent) of 30 of the users of FEEBACS application.\n\n            In addition, we found that access granted to users ofthese systems had not been\n            approved by the system owners or managers and that periodic reviews had not\n            been performed to determine who the users were and whether the levels of\n            access granted in the automated information systems were appropriate. We\n            also found that individuals whose employment had been terminated had access\n            to the systems.\n\nCriteria:    The National Institute of Standards and Technology\xe2\x80\x99s \xe2\x80\x9cGenerally Accepted\n             Principles and Practices for Securing Information Technology Systems\xe2\x80\x9d states:\n\n                Organizations should ensure effective administration of users\xe2\x80\x99\n                computer access to maintain system security, including user account\n                management, auditing and the timely modification or removal of\n                access. . . . Organizations should have a process for (1) requesting,\n                establishing, issuing, and closing user accounts; (2) tracking users and\n                their respective access authorizations; and (3) managing these functions\n                . . . [and] it is necessary to periodically review user account\n                management on a system. Reviews should examine the levels of access\n\n\n                                            16\n\x0c                                                                                APPENDIX 1\n                                                                                 Page 9 of 30\n\nACCESS CONTROLS                                                                         .I\n                 each individual has, conformity with the concept of least privilege,\n                 whether all accounts .are still active, [and] whether management\n                 authorizations are up-to-date.\n\n             The Department of the Interior Manual (375 DM 19, \xe2\x80\x9cInformation Technology\n             Security\xe2\x80\x9d), states, \xe2\x80\x9cSince the greatest threat to most computer systems comes\n             from authorized users, bureaus should institute personnel controls such as least\n             privilege, separation of duties, and individual accountability.\xe2\x80\x9d Further, the\n             Manual states, \xe2\x80\x9cDetailed procedural guidelines will be established . . . to ensure\n             IT [information technology] resources are properly protected and used only by\n             authorized personnel.\xe2\x80\x9d\n\nCause:       Surface Mining management had not established policies to implement a\n             process of approving access to its automated information systems. In addition,\n             there was no formal assignment of responsibility for approving systems access\n             and for periodically reviewing access levels granted to system users. Also,\n             procedures had not been implemented to ensure that system administration\n             personnel were promptly notified of changes in employee assignments or\n             employment terminations.\n\nEffect:      As a result, there was a risk that unauthorized access, data manipulation, and\n             disclosure of sensitive information may occur and that the unauthorized access\n             would not be detected or detected timely.\n\nRecommendations:\n\nWe recommend that the Director, Office of Surface Mining Reclamation and Enforcement:\n\n    1. Institute a policy of \xe2\x80\x9cleast privilege\xe2\x80\x9d access levels to ensure that access to resources\nand data is limited to those users who require such access.\n\n    2. Develop and implement policies and procedures for approving access to the\nautomated information systems that include the formal assignment of responsibility for\napproving systems access.\n\n    3. Develop and implement procedures to ensure that user access levels are periodically\nreviewed to ensure that the current access provided is appropriate.\n\n    4. Develop and implement procedures to ensure that system administration personnel\nare promptly notified of changes in employee assignments or employment terminations.\n\n   5. Implement controls to ensure that system owners approve all access to their\napplications in accordance with Surface Mining policy.\n\n                                              17\n\x0c                                                                            APPENDIX 1\n                                                                            Page 10 of 30\n\nACCESS CONTROLS\n\nF. System Log-in\n\nCondition: The number of unsuccessful log-in attempts to access Surface Mining\xe2\x80\x99s\n            automated information systems exceeded the standard established by the\n            Department. Specifically, we found that:\n\n                - Windows NT users were allowed unlimited unsuccessful log-in attempts.\n            However, during our review, Surface Mining officials temporarily changed the\n            setting to nine, with plans to change the setting to the standard of three\n            attempts.\n\n                - Sun Solaris system users were allowed five unsuccessful log-in attempts\n            before their user identifications (ID) and passwords were revoked,\n\n                 - Financial system users were allowed eight unsuccessful log-in attempts\n            before their user IDS and passwords were revoked. However, during our\n            review, Surface Mining ofticials implemented new software and reduced the\n            setting to the standard of three.\n\n            Additionally, the system log-in warning message that is used to warn potential\n            unauthorized users that prosecution may occur was not displayed until after the\n            user had logged on to the system and was authenticated as a valid system user.\n\nCriteria:   The Department of the Interior\xe2\x80\x99s \xe2\x80\x9cAutomated Information Systems Security\n            Handbook\xe2\x80\x9d states that \xe2\x80\x9cunsuccessful attempts to enter a password should be\n            limited to three attempts.\xe2\x80\x9d Further, the \xe2\x80\x9cHandbook\xe2\x80\x9d requires that all\n            communications equipment capable of displaying system messages display, as\n            the first message seen by a user, a warning message regarding unauthorized use\n            of Government computers and/or software.\n\nCause:      Although two of the three system administration personnel changed the number\n            of log-in attempts, Surface Mining management had not developed polices and\n            procedures that would implement the minimum standards established by the\n            Department throughout Surface Mining. Additionally, Surface Mining\n            management had not ensured that the warning message for unauthorized use\n            was displayed as the first screen seen by a user.\n\nEffect:     Without adequate controls in place to ensure proper access to automated\n            information systems, there is the risk that unauthorized access to the systems\n            could occur, resulting in the corruption of sensitive data or systems processing\n            and the denial of service.\n\n\n\n                                            18\n\x0c                                                                           APPENDIX 1\n                                                                           Page 11 of30\n\nACCESS CONTROLS\n\nRecommendations:\n\nWe recommend that the Director, Office of Surface Mining Reclamation and Enforcement:\n\n   1. Develop and implement policies and procedures establishing the maximum number\nof log-in attempts allowed for its automated information systems in compliance with\nDepartment of the Interior regulations.\n\n     2. Ensure that the systems log-in warning message is the first screen displayed upon\ninitial access and prior to the user being authenticated as a valid system user.\n\n\n\n\n                                            19\n\x0c                                                                           APPENDIX 1\n                                                                           Page 12 of 30\n\nACCESS CONTROLS                                                                    ..\n\nG. Password Settings\n\nCondition: Password requirements for accessing Surface Mining\xe2\x80\x99s automated information\n            systems were inadequate. Specifically, we found that:\n\n                - Passwords did not contain a minimum number of characters or include\n            special characters.\n\n                - Passwords were fewer than the Department\xe2\x80\x99s standard of six characters\n            in length, were common words, and were the same as users\xe2\x80\x99 IDS.\n\n                - Passwords were not changed periodically.\n\n                - Users were allowed to bypass password length and expiration settings.\n\n                - System administration passwords were shared. In one instance, the Sun\n            Solaris operating system was accessed over the Internet using the system\n            administration account and password, and the password was in an unencrypted\n            form\n\n            Furthermore, using intrusion detection software, passwords for the Sun Solaris\n            and Windows NT operating systems and the network router were identified\n            within a 24-hour period, and powerful system administration level account\n            passwords were obtained.\n\nCriteria:   The National Institute of Standards and Technology\xe2\x80\x99s \xe2\x80\x9cGenerally Accepted\n            Principles and Practices for Securing Information Technology Systems\xe2\x80\x9d states\n            that if passwords are used for authentication they should have attributes such\n            as a minimum length of six characters, should include special characters,\n            should not be in an online dictionary, and should be unrelated to the user ID.\n            Also, the Department of the Interior\xe2\x80\x99s Automated Information Systems\n            Security Handbook requires that passwords be a minimum of six characters and\n            be changed periodically (90 days is recommended).\n\nCause:      Surface Mining had not developed policies and procedures on creating and\n            changing passwords for its automated information systems. In addition,\n            Surface Mining had not developed a policy requiring system administration\n            personnel to log on to the system under specific user IDS that were issued to\n            each individual.\n\n\n\n\n                                           20\n\x0c                                                                             APPENDIX 1\n                                                                             Page 13 of 30\n\nACCESS CONTROLS\n\nEffect:      The current password settings reduce the effectiveness of the password as a\n             control, thereby increasing the risk for unauthorized access to sensitive\n             information through password disclosure.\n\nRecommendations:\n\nWe recommend that the Director, Office of Surface Mining Reclamation and Enforcement:\n\n    1. Develop and implement password policies and procedures. In addition, controls to\nensure compliance with these policies and procedures should be implemented.\n\n    2. Implement a policy requiring system administration personnel to log on to the\nautomated information systems under specific user IDS.\n\n    3. Evaluate current capabilities and implement procedures to address encryption or other\nsecurity methods to help prevent powerful system passwords and accounts from being\ncompromised when traveling across a network, such as the wide area network and the\nInternet.\n\n\n\n\n                                             21\n\x0c                                                                                              APPENDIX 1\n                                                                                              Page 14 of 30\n\nACCESS CONTROLS\n\nH. Novell Network Access\n\nCondition: \xe2\x80\x9cPublic\xe2\x80\x9d users had inappropriate access to computer resources on the Novell\n                network. Specifically, \xe2\x80\x9cPublic\xe2\x80\x9d users had browse access at the root,* which\n                allowed anyone to view user IDS and gather information without logging onto\n                the network. Also, we identified 13 accounts with null3 passwords. In\n                addition, the passwords were not required to be reset, which allowed anyone\n                to log into these accounts to make unauthorized modifications or to manipulate\n                data.\n\nCriteria:       Office of Management and Budget Circular A-130, Appendix III, requires\n                agencies to establish controls to ensure adequate security for all information\n                processed, transmitted, or stored in Federal automated information systems.\n                The Circular defines \xe2\x80\x9cadequate security\xe2\x80\x9d as \xe2\x80\x9csecurity commensurate with the\n                risk and magnitude of harm resulting from the loss, misuse, or unauthorized\n                access to or modification of information.\xe2\x80\x9d Also, the National Institute of\n                Standards and Technology\xe2\x80\x99s \xe2\x80\x9cGenerally Accepted Principles and Practices for\n                Securing Information Technology Systems\xe2\x80\x9d states, \xe2\x80\x9cOrganizations should\n                implement logical access control based on policy made by a management\n                official responsible for a particular system, application, subsystem, or group of\n                systems.\xe2\x80\x9d\n\nCause:          Surface Mining management had not developed policies and procedures to\n                ensure that only authorized users had root access and that all accounts had\n                active passwords.\n\nEffect:         As a result, Surface Mining could not protect the Novell network operating\n                system and other system software from unauthorized modification or\n                manipulation and therefore could not ensure the integrity and availability of the\n                network, the systems, and the data.\n\n\n\n\n\xe2\x80\x98Root provides \xe2\x80\x9ca person with unlimited access privileges who can perform any and all operations on the\ncomputer. Also called superuser.\xe2\x80\x9d (The Computer Language Company, Inc., Commuter Desktop\nEncyclopedia, 1981-1998)\n\n\xe2\x80\x98Null (null value) is \xe2\x80\x9ca value in a field or variable that indicates nothing was ever derived and stored in it.\xe2\x80\x9d\n(The Computer Language Company, Inc., Computer Desktor, Encvclouedia, 1981-1998)\n\n                                                      22\n\x0c                                                                           APPENDIX 1\n                                                                           Page 15 of 30\n\nACCESS       CONTROLS\n\nRecommendation:\n\nWe recommend that the Director, Office of Surface Mining Reclamation and Enforcement,\ndevelop policies and procedures to ensure that controls are in place to protect the Novell\nnetwork operating system and other system software from unauthorized modification or\nmanipulation.\n\n\n\n\n                                            23\n\x0c                                                                                  APPENDIX 1\n                                                                                  Page 16 of 30\n\nACCESS CONTROLS\n\nI. User Access Control\n\nCondition: Surface Mining\xe2\x80\x99s Information Systems Management Office in Washington,\n            D.C., and the DivisionofFinancial Management in Denver, Colorado, had not\n            implemented controls that limited access to its Novell file servers. Specifically,\n            the \xe2\x80\x9cSECURE CONSOLE\xe2\x80\x9d command for the Novell file servers was not used.\n            The \xe2\x80\x9cSECURE CONSOLE\xe2\x80\x9d command removes DOS from the file servers,\n            which prevents users from shutting down the file server, exiting to DOS, and\n            running unauthorized programs. Also, the \xe2\x80\x9cLOCK CONSOLE\xe2\x80\x9d command was\n            not used. The \xe2\x80\x9cLOCK CONSOLE\xe2\x80\x9d command ensures that only users with\n            proper authorization can access the file servers. Additionally, the password for\n                                                      4\n            the \xe2\x80\x9cRCONSOLE\xe2\x80\x9d was not encrypted and resided in at least two files (the\n            autoexec.ncf and the netinfor.cfg) at the Division of Financial Management.\n            The \xe2\x80\x9cRCONSOLE\xe2\x80\x9d command establishes connections that enable keyboard\n            strokes at the workstations to be sent to the file servers and screen image\n            changes at the file servers to be sent to remote workstations.\n\nCriteria:     Office of Management and Budget Circular A-130, Appendix III, requires\n              agencies to establish controls to ensure adequate security for all information\n              processed, transmitted, or stored in Federal automated information systems.\n              Circular A- 130 defines \xe2\x80\x9cadequate security\xe2\x80\x9d as \xe2\x80\x9csecurity commensurate with the\n              risk and magnitude of harm resulting from the loss, misuse, or unauthorized\n              access to or modification of information.\xe2\x80\x9d\n\nCause:        Surface Mining management had not identified or implemented the technical\n              controls necessary to ensure that only authorized users had access to the Novell\n              file servers.\n\nEffect:       As a result, Surface Mining increased the risk that unauthorized individuals\n              could access its file servers to run programs or gain access to data files. For\n              example, because the \xe2\x80\x9cRCONSOLE\xe2\x80\x9d command was not encrypted, sensitive\n              files could be copied to an unprotected location during maintenance/emergency\n              procedures or be viewed by technical contractors or staff who had temporary\n              supervisory access to the file servers.\n\nRecommendation:\n\nWe recommend that the Director, Office of Surface Mining Reclamation and Enforcement,\nidentify and implement the technical controls necessary to ensure that only authorized users\n\n\n4Encrypt is to \xe2\x80\x9cencode data for security purposes.\xe2\x80\x9d (The Computer Language Company, Inc., Computer\nDesktop EncycloDedia, 198 l- 1998)\n\n                                               24\n\x0c                                                                       APPENDIX 1\n                                                                       Page 17 of 30\n\nACCESS CONTROLS\n\nhave access to the Novell file servers. The controls should include using the \xe2\x80\x9cSECURE\nCONSOLE\xe2\x80\x9d command in the autoexec.ncf file, encrypting the \xe2\x80\x9cRCONSOLE\xe2\x80\x9d password, and\nusing the \xe2\x80\x9cLOCK CONSOLE\xe2\x80\x9d command.\n\n\n\n\n                                         25\n\x0c                                                                                            APPENDIX 1\n                                                                                            Page 18 of 30\n\nACCESS CONTROLS\n\nJ. Network Protection\nCondition: Surface Mining\xe2\x80\x99s Division of Financial Management did not protect its local\n           area network against probes and attacks from unauthorized users. Specifically,\n           the configuration of the Division\xe2\x80\x99s network allowed internal and external users\n           to access the systems.\n\nCriteria:      Office of Management and Budget Circular A-130, Appendix III, requires\n               agencies to establish controls to ensure adequate security for all information\n               processed, transmitted, or stored in Federal automated information systems.\n               Circular A-130 further defines \xe2\x80\x9cadequate security\xe2\x80\x9d as \xe2\x80\x9csecurity commensurate\n               with the risk and magnitude of harm resulting from the loss, misuse, or\n               unauthorized access to or modification of information.\xe2\x80\x9d Additionally, the\n               National Institute of Standards and Technology\xe2\x80\x99s \xe2\x80\x9cExecutive Guide to the\n               Protection of Information Resources\xe2\x80\x9d states, \xe2\x80\x9cAgency information should also\n               be protected from intruders . . . as well as from employees with authorized\n               computer access privileges who attempt to perform unauthorized actions.\xe2\x80\x9d\n\nCause:         The Division of Financial Management did not protect its local area network\n               because it had not implemented a firewall system that defined the services and\n               accesses to be permitted or denied when accessing its local area network.\n                                                    6\n               Although the Division had a router in place, the router was not used as a\n               firewall to filter access.\n\nEffect:         As a result, unauthorized users could easily gain access to the Division of\n                Financial Management\xe2\x80\x99s financial and other sensitive applications. For\n                example, the Division\xe2\x80\x99s network was vulnerable to passive threats, such as an\n                intruder viewing data, and active threats, such as an intruder modifying data.\n\n\n\n\n\xe2\x80\x98Firewall is a \xe2\x80\x9cmethod for keeping a network secure. It can be implemented in a single router that filters out\nunwanted packets, or it may be a combination of technologies in router and hosts. They are also used to keep\ninternal network segments secure. For example, a research or accounting subnet might be vulnerable to\nsnooping from within.\xe2\x80\x9d (The Computer Language Company, Inc., Comnuter Deskton Encvclonedia, 1981-\n1998)\n\n6Router is a \xe2\x80\x9cdevice that forwards data packets from one local area network or wide area network to another.\nRouters are used to segment local area networks in order to balance traffic within workgroups and to filter\ntraffic for security purposes and policy management.\xe2\x80\x9d (The Computer Language Company, Inc., Comnuter\nDesktop Encvclonedia, 198 l- 1998)\n\n                                                     26\n\x0c                                                                          APPENDIX 1\n                                                                          Page 19 of 30\n\nACCESS CONTROLS\nRecommendation:\n\nWe recommend that the Director, Office of Surface Mining Reclamation and Enforcement,\ninstall a firewall system for the Division of Financial Management\xe2\x80\x99s local area network.\n\n\n\n\n                                           27\n\x0c                                                                                            APPENDIX 1\n                                                                                            Page 20 of 30\n\n                                                                                                      ..\nSYSTEM SOFTWARE CONTROLS\n\nControl Objective: The control objective for system software is to limit and monitor access\nto the powerful programs and sensitive files that control the computer hardware and secure\napplications supported by the system.\n\nK. System Audit Tools\n\nCondition: Surface Mining management did not use available system audit tools to ensure\n               integrity over automated information systems processing and data and to detect\n               inappropriate actions by authorized users. For example, we found that:\n\n                    - Systems audit software was not used for the Windows NT and Novell\n                servers and the Hewlett Packard and Sun Solaris operating systems at the\n                Divisions of Information Systems Management and Financial Management.\n                According to the \xe2\x80\x9cNIST Handbook,\xe2\x80\x9d this type of tool could assist data center\n                and installation security management in evaluating its systems for security\n                flaws, such as identifying security exposures related to \xe2\x80\x9cimproper access\n                controls or access control configurations, weak passwords, lack of integrity of\n                the system software, or not using all relevant software updates and patches.\xe2\x80\x9d\n\n                     - Some systems options for the Windows NT servers and the Novell\n                operating system at the Divisions of Information Systems Management and\n                Financial Management that produce audit trails in the systems were not\n                implemented. However, for those systems that had systems options\n                implemented to produce audit trails, the audit trails were not reviewed\n                periodically. In addition, in the systems that had implemented the options to\n                maintain the audit trail, the settings allowed the systems to overwrite* the audit\n                trail. Therefore, in some of the systems, an audit trail that logs the results of\n                actions taken by system programmers, system administration, and system users\n                could not be reviewed.\n\nCriteria:       Office of Management and Budget Circular A-130, Appendix III, requires\n                agencies to establish controls to ensure adequate security for all information\n                processed, transmitted, or stored in Federal automated information systems.\n                In addition, Circular A- 130 states that individual accountability is one of the\n                personnel controls required in a general support system. Circular A- 130 further\n                states that an example of one of the controls to ensure individual accountability\n                is examining or looking at patterns of users\xe2\x80\x99 behavior by reviewing the audit\n\n\n\xe2\x80\x98Overwrite is \xe2\x80\x9cto record new data on top of existing data such as when a disk record or file is updated.\xe2\x80\x9d (The\nComputer Language Company, Inc., Computer Desktop Encyclopedia ,198 l- 1998)\n\n\n\n                                                     28\n\x0c                                                                               APPENDIX 1\n                                                                               Page 21 of 30\n\n                                                                                        .I\nSYSTEM SOFTWARE CONTROLS\n\n               trails. Also, the \xe2\x80\x9cNIST Handbook\xe2\x80\x9d states that audit trails are a technical\n               mechanism to achieve individual accountability. In addition, the \xe2\x80\x9cHandbook\xe2\x80\x9d\n               recognizes that not taking advantage of automated tools to assist in the review\n               of computer systems security features \xe2\x80\x9cputs system administrators at a\n               disadvantage.\xe2\x80\x9d\n\nCause:         Surface Mining management did not (1) require systems integrity and\n               verification software, (2) implement systems options to record actions taken\n               affecting systems controls and processing, (3) use and maintain available\n               systems audit trails to detect and identify inappropriate actions affecting the\n               systems processing and data integrity, and (4) establish procedures requiring\n               periodic reviews of resultant systems logs.\n\nEffect:        As a result, inappropriate systems settings and processing were not identified\n               and recorded. Additionally, without periodic reviews of system audit trails,\n               there was an increased risk that processing problems or unauthorized activities\n               would not be detected or would not be detected timely and that the individual\n               responsible would not be held accountable for the inappropriate actions.\n\nRecommendations:\n\nWe recommend that the Director, Office of Surface Mining Reclamation and Enforcement:\n\n    1     Evaluate acquiring systems verification and auditing software.\n\n    2. Implement the systems options available in each of the operating systems to record\nactivities affecting the systems.\n\n    3. Implement policies and procedures to ensure that systems logs are used and are\nmaintained for an appropriate amount of time to provide an adequate audit trail of systems\nactivities and are controlled by personnel independent of the systems access control\nadministration function.\n\n    4. Develop and implement procedures to ensure that periodic reviews of systems logs\nfor unauthorized or inappropriate activities are performed and that unauthorized or\ninappropriate activities are reported to Surface Mining management.\n\n\n\n\n                                               29\n\x0c                                                                                             APPENDIX 1\n                                                                                             Page 22 of 30\n\n                                                                                                        .I\nSYSTEM SOFTWARE CONTROLS\n\nL. System Software Vulnerabilities\n\nCondition: Surface Mining did not have adequate controls to ensure that necessary system\n           software updates were implemented in a timely manner. Specifically, service\n           packs\xe2\x80\x99 available in October 1998 to address vulnerabilities in the Windows NT\n           operating system had only been implemented by the Division of Financial\n           Management in two of the four NT systems affected by the vulnerabilities as\n           of March 30, 1999.\n\nCriteria:       Federal Information Processing Standards Publication 106, \xe2\x80\x9cGuideline on\n                Software Maintenance,\xe2\x80\x9d states that \xe2\x80\x9csoftware maintenance is the performance\n                of those activities required to keep a software system operational and\n                responsive after it is accepted and placed into production.\xe2\x80\x9d In addition, the\n                \xe2\x80\x9cGuidelihe\xe2\x80\x9d states that \xe2\x80\x9csoftware maintenance is the set of activities which\n                result in changes to the originally accepted (baseline) product set.\xe2\x80\x9d Further, the\n                \xe2\x80\x9cGuideline\xe2\x80\x9d states that \xe2\x80\x9cthese changes are made in order to keep the system\n                functioning in an evolving, expanding user and operational environment.\xe2\x80\x9d\n\nCause:          Surface Mining management had not established policies and procedures to\n                ensure that current service packs to the operating systems were evaluated for\n                implementation and that the current fixes available from the vendor to address\n                systems problems and vulnerabilities were implemented when necessary.\n\nEffect:         The risk is increased that known operating systems vulnerabilities that have\n                been identified and addressed by the systems software vendor will not be\n                implemented by Surface Mining management as necessary.\n\nRecommendations:\n\nWe recommend that the Director, Office of Surface Mining Reclamation and Enforcement:\n\n    1. Establish policy and procedures for ensuring that available software updates and\nservice packs are reviewed to identify those that should be implemented to address an\napplicable systems vulnerability.\n\n    2. Implement procedures to ensure that those updates which are determined to be\nneeded are implemented in a timely manner.\n\n\n?Servlce packs is \xe2\x80\x9ca software patch that 1s applied to an Installed application. It is typically downloaded from\nthe vendor\xe2\x80\x99s Web site. When executed, it modifies the application in place.\xe2\x80\x9d (The Computer Language\nCompany, Inc., Desktou Encvclooedia, 1981-1998)\n\n                                                      30\n\x0c                                                                               APPENDIX 1\n                                                                               Page 23 of 30\n\n                                                                                        ..\nSEPARATION OF DUTIES\nControl Objective: The control objective for separation of duties is the establishment of\npolicies, procedures, and organizational structure so that one individual cannot control key\naspects of computer-related operations and thereby conduct unauthorized actions or gain\nunauthorized access to assets or records.\n\nM. Duties Related to Automated Information Systems\n\nCondition: The duties related to all the automated information systems throughout Surface\n           Mining were not separated effectively. Specifically, we found that:\n\n                 - Individuals responsible for setting up users of the automated information\n             systems were also the individuals controlling the systems security logs that\n             record the activities of the users of these systems.\n\n                 - Individuals who controlled systems audit trails were also responsible for\n             system administration, which resulted in these personnel monitoring their own\n             system activities.\n\n                 - Application programmers who made code changes to software were also\n             responsible for moving those changes into production.\n\n                 - Application programmers were responsible for changing production\n             data.\n\nCriteria:    Office of Management and Budget Circular A-130, Appendix III, requires that\n             security controls of personnel include separation of duties. Circular A- 130 and\n             the \xe2\x80\x9cNIST Handbook\xe2\x80\x9d define separation of duties as the division of roles and\n             responsibilities and of steps in a critical function so that no one individual can\n             undermine a critical process. Additionally, Surface Mining\xe2\x80\x99s Information\n             Resources Management (KM) Policies and Procedures Manual states that\n             appropriate safeguards should be used \xe2\x80\x9cto prevent unauthorized access to and\n             use of information, data, and software.\xe2\x80\x9d The \xe2\x80\x9cGenerally Accepted Principles\n             and Practices for Securing Information Technology Systems,\xe2\x80\x9d issued by the\n             National Institute of Standards and Technology, states, \xe2\x80\x9cIn conjunction with\n             appropriate tools and procedures, audit trails can provide a means to help\n             accomplish several security-related objectives, including individual\n             accountability, reconstruction of events, intrusion detection, and problem\n             identification.\xe2\x80\x9d This publication further states that \xe2\x80\x9caccess to online audit logs\n             should be strictly controlled\xe2\x80\x9d and that \xe2\x80\x9c[olrganizations should strive for\n             separation of duties between security personnel who administer the access\n\n\n\n                                             31\n\x0c                                                                              APPENDIX 1\n                                                                              Page 24 of 30\n\n                                                                                      _.\nSEPARATION OF DUTIES\n\n             control function and those who administer the audit trail.\xe2\x80\x9d Additionally, the\n             publication states that \xe2\x80\x9caudit trails should be reviewed periodically.\xe2\x80\x9d\n\nCause:       Surface Mining management had not ensured that personnel whose duties\n             included performing reviews of security logs were different from the personnel\n             whose responsibilities included establishing users on those systems. In\n             addition, no policy had been implemented to ensure that systems audit trails\n             were maintained and controlled by individuals other than those individuals\n             responsible for administration of the access control function. Further, the\n             Division of Financial Management did not appropriately assign duties for\n             application programmers to ensure that critical processes were not subverted.\n             Specifically, application programmers should not have access to production\n             data because production data should be restricted to users.\n\nEffect:      Since logging and subsequently reviewing the logs are primary detection\n             controls used to identify inappropriate activities of users who have significant\n             system access, separating these two functions provides one ofthe main internal\n             controls over the system administration function. As a result, there was an\n             increased risk that inappropriate actions by the individuals who established\n             system users would not be detected or would not be detected timely. In\n             addition, there is an increased risk that accidental or intentional unauthorized\n             actions by programmers could threaten the integrity of Surface Mining\xe2\x80\x99s data\n             and disrupt systems processing.\n\nRecommendations:\n\nWe recommend that the Director, Office of Surface Mining Reclamation and Enforcement:\n\n    1. Implement procedures to ensure that personnel who perform access control\nadministration are not the same individuals who review and control systems security logs and\nsystems audit trails.\n\n   2. Implement controls to ensure that application programmers are not responsible for\nmoving changed software into the production environment and do not have access to\nupdate/change production data.\n\n\n\n\n                                             32\n\x0c                                                                              APPENDIX 1\n                                                                              Page 25 of 30\n\n\nSOFTWARE DEVELOPMENT AND CHANGE MANAGEMENT\xe2\x80\x9d\n\nControl Objective: The control objective for software development and change\nmanagement is to prevent unauthorized programs or modifications to an existing program\nfrom being implemented.\n\nN. Change Management Controls\n\nCondition: Change management controls over applications software were not adequate.\n            Specifically, we found that:\n\n                - The applications implementation, conversion, and,testing process was\n            inadequate, causing data to be incorrect and requiring users to identify data\n            errors, prepare and submit change requests to correct the data, and to reenter the\n            correct data. Additionally, without adequate change management controls,\n            Surface Mining was at risk of having malicious codes inadvertently or\n            deliberately added to the applications software.\n\n                - Software edits were removed without ensuring that change management\n            controls were followed. Thus, changes were made that were not authorized,\n            approved, and tested.\n\n                - User change requests were not addressed in a timely manner.\n\nCriteria:   Office of Management and Budget Circular A-127, \xe2\x80\x9cFinancial Management\n            Systems,\xe2\x80\x9d states, \xe2\x80\x9cFinancial management systems shall be designed to provide\n            for effective and efficient interrelationships between software, hardware,\n            personnel, procedures, controls, and data contained within the system.\xe2\x80\x9d\n            Surface Mining\xe2\x80\x99s \xe2\x80\x9cInformation Resources Management (KM) Policies and\n            Procedures Manual\xe2\x80\x9d requires system owners to establish formal, written\n            standards for program changes (both scheduled and emergency) and to\n            authorize all scheduled program changes. In addition, the \xe2\x80\x9cManual\xe2\x80\x9d requires\n            system managers to ensure that all program changes meet formal, written\n            standards and to notify the system owner when emergency program changes are\n            made. Also, the \xe2\x80\x9cManual\xe2\x80\x9d requires that unit, integration, system, and\n            acceptance testing be used when a new system is developed or an existing\n            system is enhanced.\n\nCause:       Surface Mining management did not ensure that its \xe2\x80\x9cInformation Resources\n             Management (IRM) Policies and Procedures Manual\xe2\x80\x9d was followed for\n             changing applications software. Additionally, because change requests were\n             not addressed timely, Surface Mining had a significant change request backlog\n             that may reduce the ability of the applications meeting the users\xe2\x80\x99 requirements.\n\n\n                                             33\n\x0c                                                                                APPENDIX 1\n                                                                                Page 26 of 30\n\n\nSOFTWARE DEVELOPMENT AND CHANGE MANAGEMENT -I\n\nEffect:         As a result, the risk was increased that processing irregularities or malicious\n                codes could be introduced, data lacked integrity, and applications were not\n                functioning to meet users\xe2\x80\x99 needs. In addition, the applications did not process\n                data accurately, which resulted in insufficient and costly manual processes,\n                such as time and personnel resources, to supplement the applications\n                deficiencies.\n\nRecommendations:\n\nWe recommend that the Director, Office of Surface Mining Reclamation and Enforcement:\n\n     1. Enforce Surface Mining\xe2\x80\x99s written policies and procedures to ensure that all\napplication programs and modifications are properly authorized, tested, and approved and\nthat access to and distribution of programs is controlled.\n\n    2. Establish the process of correcting applications deficiencies as a high priority to\nreduce manual processes.\n\n    3. Review change requests timely to ensure that user requirements are supported in the\napplications.\n\n\n\n\n                                                34\n\x0c                                                                               APPENDIX 1\n                                                                               Page 27 of 30\n\n                                                                                        ..\nSERVICE CONTINUITY\nControl Objective: The control objective for service continuity is to ensure that when\nunexpected events occur, critical operations continue without interruption or are promptly\nresumed and critical and sensitive data are protected.\n\n0. Business Continuity of Operations\n\nCondition: Surface Mining had not developed continuity of operations plans for its\n             telecommunications links or finalized plans for its facilities and data centers.\n             In addition, while Surface Mining had completed draft plans for its data centers\n             and its facilities, these plans had not been approved or tested, and training had\n             not been provided to personnel on the plans. Further, the off-site facility (cold\n             storage for backup tapes) for Surface Mining headquarters operations was not\n             located at. least 1 mile from the headquarters location.\n\nCriteria:    Office of Management and Budget Circular A-130, Appendix III, requires\n             agencies to establish a comprehensive contingency plan and periodically test\n             the capability to perform the agency function supported by the application, as\n             well as critical telecommunications links, in the event of a disaster or system\n             failure. Additionally, the \xe2\x80\x9cNIST Handbook\xe2\x80\x9d states that a comprehensive\n             disaster recovery plan is necessary to ensure the timely recovery of all business\n             functions and the systems environment that are critical for day-to-day\n             operations and to minimize downtime. Further, the \xe2\x80\x9cNIST Handbook\xe2\x80\x9d\n             recognizes that personnel should be trained in their contingency-related duties.\n             In addition, the \xe2\x80\x9cNIST Handbook\xe2\x80\x9d states that a primary contingency strategy\n             for applications and data is storage at a secure off-site facility. According to\n             the \xe2\x80\x9cNIST Handbook,\xe2\x80\x9d a secure off-site storage facility should be physically\n             and environmentally protected to prevent unauthorized individuals from access\n             and to protect data from heat, cold, or harmful magnetic fields and should be\n             located at least 1 mile from the installation. Also, the Department ofthe Interior\n             \xe2\x80\x9cAutomated Information Systems Security Handbook\xe2\x80\x9d mandates off-site\n             storage for \xe2\x80\x9call AIS [automated information systems] installations providing\n             critical support to the organization\xe2\x80\x99s missions.\xe2\x80\x9d\n\nCause:       Prior to the issuance of the Department of the Interior\xe2\x80\x99s Office of Managing\n             Risk and Public Safety Policy Bulletin 98-001, \xe2\x80\x9cContinuity of Operations\n             Planning - Guidance and Schedules,\xe2\x80\x9d dated March 1998, Surface Mining did\n             not have any contingency plans for its telecommunications links, facilities, or\n             data centers. At the time of our review, Surface Mining had developed\n             contingency plans for its data centers and facilities, but it had not included\n             plans for telecommunications links and had not addressed the testing of these\n             plans. Further, Surface Mining management was unaware of the requirement\n\n\n                                             35\n\x0c                                                                                APPENDIX 1\n                                                                                Page 28 of 30\n\n                                                                                        .I\nSERVICE CONTINUITY\n             to have an off-site storage facility located at least 1 mile from the original\n             computer facility installation.\n\nEffect:      As a result, Surface Mining increased its risk of being unable to recover and\n             resume critical operations should the systems fail or disasters occur.\n\nRecommendations:\n\nWe recommend that the Director, Office of Surface Mining Reclamation and Enforcement:\n\n    1. Ensure that a contingency plan is developed for critical telecommunications links.\n\n   2. Ensure that contingency plans for telecommunications links, facilities, and the data\ncenter are finalized and tested and that test results are used to update these plans.\nAdditionally, assurance should be provided that personnel are trained to implement the plans.\n\n    3. Provide for a secure off-site storage facility that is at least 1 mile from the computer\nfacility.\n\n\n\n\n                                               36\n\x0c                                                                              APPENDIX 1\n                                                                              Page 29 of 30\n\n                                                                                       ..\nSERVICE CONTINUITY\nP. Incident Response Plan and Team\nCondition: Surface Mining did not have a formal incident response plan and a formal\n            response team in place to respond timely and efficiently to information system\n            security incidents whether an incident was caused by a computer virus, other\n            malicious codes, or a system intruder (either an insider or an outsider). A\n            security incident may affect sensitive systems at different network sites,\n            including contractors and clients. For example, end users would not know\n            whom to contact if they find or have inadvertently introduced a virus to the\n            network. Further, the system administrators may not escalate the incident to\n            Surface Mining\xe2\x80\x99s security management, thus allowing the virus to populate the\n            wide area network.\n\nCriteria:   Office of Management and Budget Circular A-130, Appendix III, states that\n            \xe2\x80\x9cwhen faced with a security incident, an agency should be able to respond in\n            a manner that both protects its own information and helps to protect the\n            information of others who might be affected by the incident. To address this\n            concern, agencies should establish formal incident response mechanisms.\xe2\x80\x9d\n\n            The National Institute of Standards and Technology\xe2\x80\x99s \xe2\x80\x9cGenerally Accepted\n            Principles and Practices for Securing Information Technology Systems\xe2\x80\x9d states\n            that \xe2\x80\x9can organization should address computer security incidents by developing\n            an incident handling capability.\xe2\x80\x9d\n\nCause:      Surface Mining did not have a formal incident response plan or a formal\n            response team because management believed that the local area and wide area\n            network administrators were prepared to respond to each security breach based\n            on what occurred during the incident. We believe that without a formal plan,\n            Surface Mining may not have identified all types of incidents and actions to\n            take to prevent further spreading of a virus. A formal incident response plan\n            would include, for example, names of important contacts, both external and\n            internal, such as managers and technical support personnel to aid in\n            containment and recovery efforts and, if appropriate, Federal law enforcement\n            officials to investigate the incidents.\n\nEffect:     Without a formal response plan and team, Surface Mining cannot provide\n            assurance to its users, contractors, or clients that data would be protected, that\n            security incidents would be handled quickly and efficiently, and that corrective\n            actions would be implemented.\n\n\n\n\n                                            37\n\x0c                                                                       APPENDIX 1\n                                                                       Page 30 of 30\n\n                                                                                ..\nSERVICE CONTINUITY\n\nRecommendation:\n\nWe recommend that the Director, Office of Surface Mining Reclamation and Enforcement,\ndevelop and implement a formal incident response plan and team.\n\n\n\n\n                                          38\n\x0c                                                                                              APPENDIX 2\n\n\n             OFFICE OF SURFACE MINING RECLAMATION                                                        .I\n                   AND ENFORCEMENT SENSITIVE\n                AUTOMATED INFORMATION SYSTEMS\n\n\nOffice of Surface Mining\xe2\x80\x99s Sensitive Automated Information Systems as Reported to\nthe Department of the Interior in Surface Mining\xe2\x80\x99s \xe2\x80\x9cAutomated Information Systems\nSecurity Plan,\xe2\x80\x9d Dated February 1998\n\nAdvanced Budget/Accounting Control and Information Systems (ABACIS)\nAudit Fee Billing and Collection System (AFBACS)\nAbandoned Mine Lands Inventory System (AMLIS)\nApplicant Violator System (AVS)\nCivil Penalty Accounting Control System (CPACS)\nCoal Data Repository System (CDR)\nElectronic Mail (E-Mail)\nFee Billing and Collection System (FEEBACS)\nGrants Information Fund Tracking System (GIFTS)\nLitigation Tracking System (LTS)\nPayroll/Personnel Data Entry (PAY/PERS)*\nSynergistic Acquisition Tracking Inventory Network (SATIN)\nTechnical Information Processing System (TIPS)\n\nAdditional Sensitive Systems**\n\nCorrespondence Tracking System (CTS)\nOffice of Surface Mining Wide Area Network (OSMNET)\nWork Assignment Tracking System/Mine Information, Project Planning System\n    (WATTSMIPPS)\nAdministrative Records Management System (ARMS)\n\n\n\n\n*In its response to the draft report, the Office of Surface Mining stated that this system \xe2\x80\x9cis no longer used.\xe2\x80\x9d\n\n**In its response to the draft report, the Office of Surface Mining identified additional mission critical or\nsensitive systems.\n\n                                                       39\n\x0c                                                                                       APPENDIX 3\n                                                                                       Page 2 of 15\n\n\n\n                            OFFICE OF SURFACE MINING\n                     RESPONSE TO IG AUDIT RECOMMENDATIONS\n                                 September 17,1999\n\n\n         OSM reviewed the Draft Audit Report and agrees that we must have documented security\nplans, risk analysis, and a security policy. Although many of our security procedures were not\nwritten in these specific documents, we do have security controls in place. The Division of\nFinancial Management operates sensitive systems which process financial data. These systems\nare comprised of two computer platforms, the Hewlett-Packard and the SUN, which operate\nseven of the 16 Mission Critical Systems in OSM.\n\n        To ensure that the operating environment at the Division of Financial Management is\nsecure and that the financial systems are protected, we maintain a secure building that houses the\ncomputer systems. The computer room contains an un-intermptible power supply and is\nenvironmentally controlled with an \xe2\x80\x9cautomated notification\xe2\x80\x9d temperature and electrical monitor.\nIn addition, we have off-site storage of system and application back-ups which have been tested,\n\n        Security access systems are in place that limit \xe2\x80\x9csystem administrator\xe2\x80\x9d privileges to the\nsystem administrator, their backup, and select other personnel on an as needed basis. We have\nseparation of tictional duties to preclude any one person from processing a transaction from\nbeginning to end. In addition, Daily Synchronization Reports are produced to test the integrity of\nthe data in the systems and all system modifications are tested prior to implementation.\n\n       The following responses address each of the 38 recommendations identified in Appendix\n1 of the Draft Audit Report:\n\nSECURITY PROGW\n\nA.     Risk Assessments\n\nRecommendations:\n\n1.     Determine the risks associated with each of the systems and, based on the results of\n       the risk assessments, establish appropriate security policies and procedures.\n\n       Response: OSM concurs with tliis recommendation and offers the following response:\n\n         OSM completed a risk assessment for each of its 16 mission critical systems and has\nestablished security policies and procedures. The risk assessments for each of the OSM\xe2\x80\x99s mission\ncritical systems are at attachment I. The security policies and procedures are at attachment II.\n\n\n                                                 1\n\n\n\n                                            41\n\x0c                                                                                       APPENDIX 3\n                                                                                       Page 3 of 15\n\n\n\n\n2.      Ensure that risk assessments are conducted in accordance with Federal guidelines\n        which recommend that risk assessments support the acceptance of risk and the\n        selection of appropriate controls. Specifically, the risk assessments should address\n        significant risks affecting sensitive systems and major applications, appropriately\n        identify controls implemented to mitigate those risks, and formalize the acceptance of\n        residual risk.\n\n        Response: OSM concurs with this recommendation and offers the following response:\n\n        The risk assessments developed by OSM, were conducted in accordance with Federal\nGuidelines and document the acceptance of risk and the selection of appropriate controls. A copy\nof these risk assessments are at attachment J. The IG has conducted an interim review of several\nof these risk assessments and given OSM recommendations for improvements, and these\nrecommendations are being incorporated into the completed final risk assessments.\n\n3.     Formally assign and communicate responsibility to those required to participate in\n       assessing risks.\n\n       Response: OSM concurs with this recommendation and offers the following response:\n\n        The Information Systems Security Officer (ISSO) has been formally assigned as the\nsecurity officer for OSM, and is responsible for ensuring that continuing risk assessments are\nperformed on OSM\xe2\x80\x99s mission critical systems. The Information System Security Officer has\ncontacted each of the systems owners of OSM\xe2\x80\x99s 16 mission critical systems and had them\nparticipate in developing the risk assessments at attachment I. Chapter I of the Security Directive\nprovides policy concerning the Program Managers responsibility for creating and implementing\nsecurity plans and risk assessments for mission critical systems in their area of responsibility.\n\nSECURITY PROGRAM\n\nB.     System Security Plans\n\nRecommendations:\n\nI.     Provide resources to ensure that automated information systems security plans are\n       developed for its general support systems and major applications in accordance with\n       the Computer Security Act; Office of Management and Budget Circular A-130,\n       Appendix III; and the National Institute of Standards and Technology Special\n       Publication 800-18.\n\n       Response: OSM concurs with this recommendation and offers the following response:\n\n\n                                                  2\n\n\n                                             42\n\x0c                                                                                       APPENDIX 3\n                                                                                       Page 4 of 15\n\n\n        OSM has provided the necessary resources and developed system security plans for each\nof its mission critical systems. The security plans for each of OSM\xe2\x80\x99s 16 mission critical_,systems\nare at attachment III. There is one automated system on your list of mission critical systems that\nshould be removed. The Payroll/Personnel Data Entry (PAY/PERS) is no longer used by OSM.\nThe IG conducted an interim review of several of these security plans and has given OSM\nrecommendations for improvements. These recommendations are being incorporated into the\ncompleted security plans.\n\n2.     Ensure that the automated information systems security function is elevated\n       organizationally to report directly to Surface Mining\xe2\x80\x99s Chief Information Officer\n       and formally provide the position with the authority to implement and enforce the\n       Surfaie Mining-wide computer security program.\n\n        Response: OSM concurs with the recommendation that the security function should be\nelevated, however we feel that it should be elevated to the Deputy Chief Information Officer\nrather than the Chief Information Officer, for the following reason:\n\n        The Deputy Director of OSM is designated as Chief Information Officer for the Bureau.\nHowever, at the present time, OSM does not have a Deputy Director. Therefore, OSM will\nelevate the security function organizationally to report directly to the Deputy Chief Information\nOfficer.\n\n3.     Report the lack of security plans for surface mining\xe2\x80\x99s 13 sensitive systems as material\n       weakness in Surface Mining\xe2\x80\x99s annual assurance statement on management controls\n       for fiscal year 1999.\n\n        Response: OSM concurs with the finding that there was a lack of security plans for 13\nsensitive systems. However, OSM does not feel that this should be reported as a material\nweakness in the annual assurance statement on management controls for fiscal year 1999, for the\nfollowing reason:\n\n        OSM has completed security plans for all of it\xe2\x80\x99s 16 mission critical systems. These\nsecurity plans are at attachment III.\n\nSECURITY PROGRAM\n\nC.     Security-Related Personnel Policies and Procedures\n\nRecommendations:\n\n1.     Ensure that personnel security policies and procedures are developed, implemented\n       and enforced, including those for obtaining appropriate security clearances for\n       personnel filling sensitive or critical public trust positions.\n\n                                                   3\n\n\n                                              43\n\x0c                                                                                      APPENDIX 3\n                                                                                      Page 5 of 15\n\n\n\n        Response: OSM concurs with this recommendation and offers the following response:\n                                                                                   ..\n        OSM has developed a Security Directive (copy at attachment II), which contains personnel\nsecurity policies and procedures for obtaining appropriate security clearances for personnel filling\nsensitive and critical trust positions. In addition, the Office of Personnel has developed a\nprocedures guidelines document, which has been included in Chapter VI of the Security Directive,\nthat will provide guidance on how to designate position sensitivity for all OSM positions, and the\nlevel of background investigations which should be completed on each type of position.\n\n        The Office of Personnel is in the process of identifying all personnel in Sensitive\nComputer Areas and their position risk designation to assure proper clearance and background\ninvestigations are completed. The procedures for implementing this policy is found in Chapter VI\nof the Security Directive.\n\n2.     Ensure that all automated data processing contractor employees have proper\n       background clearances.\n\n       Response: OSM concurs with this recommendation and offers the following response:\n\n        OSM has developed mandatory language to be used in all agency contracts requiring that\nall contractor employees receive proper background clearances. This language will be in all\nagency contracts effective with contract renewals for October 1, 1999. In addition to mandatory\nlanguage in all agency contracts, all contractors currently on-board will receive a background\nclearance, if required, and the requirement for all new contractor employees to receive proper\nbackground clearances is included in the OSM Security Directive at attachment II, in Chapter I,\nSection E.\n\n3.     Ensure that periodic re-investigations are completed every 5 years on personnel who\n       are in public trust high risk positions.\n\n       Response: OSM concurs with this recommendation that periodic re-investigations should\n                 be completed on personnel in public trust high risk positions and offer the\n                 following response:\n\n        OSM agrees that re-investigations should be completed on personnel in public trust high\nrisk positions. Although we are a small agency with few resources for re-investigations, we will\nensure that periodic re-investigations are completed every five years on personnel in public trust\nhigh risk positions. Chapter VI contains policy on OSM\xe2\x80\x99s Personnel Security Program.\n\nACCESS CONTROLS\n\nD.     Resource classifications\n\n                                                   4\n\n\n                                              44\n\x0c                                                                                      APPENDIX 3\n                                                                                      Page 6 of IS\n\n\n\nRecommendation:                                                                         ..\n1.      We recommend that the Director, Office of Surface Mining Reclamation and\n        Enforcement, develop and implement policies to classify Surface Mining\xe2\x80\x99s computer\n        resources in accordance with the results of periodic risk assessments and guidance\n        contained in Office of Management and Budget Circular A-130 Appendix III,\n\n       Response: OSM concurs with this recommendation and offers the following response:\n\n        OSM has completed risk analyses and security plans for all sensitive systems, which will\nbe approved by appropriate agency personnel in concert with Program Managers. The Security\nDirective at attachment II includes policy on how to designate sensitive data and requirements for\nsensitive and non-sensitive data. In addition, OSM has developed and implemented policies in\nthe OSM Security Directive to ensure that access controls are in place that limit access to\nSensitive Computer Areas to protect computer resources from unauthorized modifications, loss,\ndisclosure or compromise.\n\nE.     Access Levels\n\nRecommendations:\n\n1.     Institute a policy of \xe2\x80\x9cleast privilege\xe2\x80\x9d access levels to ensure that access to resources\n       and data is limited to those users who require such access.\n\n       Response: OSM concurs with this recommendation and offers the following response:\n\n        In Chapter XII, Section D of OSM\xe2\x80\x99s Security Directive, at attachment II, policy has been\nincluded to ensure that access to resources and data is limited to those users who require such\naccess. The Division of Financial Management completes a total review of all User access\nprivileges every six months. This involves the system owners reviewing all employees who have\naccess to their applications and related assigned privileges.\n\n2.     Develop and implement policies and procedures for approving access to the\n       automated information systems that include the formal assignment of responsibility\n       for approving sys tern access.\n\n       Response: OSM concurs with this recommendation and offers the following response:\n\n        OSM has written policies and procedures in Chapter XII, Section D of the Security\nDirective for approving access to the automated information systems and has assigned\nresponsibility for approving systems access to the appropriate areas within the organization.\nOSM requires that all requests for User ID\xe2\x80\x99s and access privileges by DFM users be documented\n\n                                                   5\n\n\n\n                                              45\n\x0c                                                                                     APPENDIX 3\n                                                                                     Page 7 of 15\n\n\nvia a hardcopy authorization form or electronic request with proper approval by system owners.\n\n\n3.      Develop and implement procedures to ensure that user access levels are periodically\n        reviewed to ensure that the current access provided is appropriate.\n\n        Response: OSM concurs with this recommendation and offers the following response:\n\n\n        OSM has included procedures in Chapter XII, Section D of the Security Directive that user\naccess levels are periodically reviewed to ensure that access levels provided are appropriate.\nOSM requires that all system administrators complete a total review of all User access privileges\nevery six months. This involves the system owners reviewing all employees who have access to\ntheir applications and related assigned privileges.\n\n4.     Develop and implement procedures to ensure that system administration personnel\n       are promptly notified of changes in employee assignment or employment\n       terminations.\n\n       Response: OSM concurs with this recommendation and offers the following response:\n\n        The OSM Employee Exit Clearance Form will be updated to include a section for the\nsupervisor of the employee being reassigned or terminated to sign. The signature will remind the\nsupervisor of his responsibility to immediately notify the Information Systems Security Officer\nthat a particular employee has had a change of status. In addition, as an increased security\nprecaution, the Office of Personnel will send a message to the systems administrators listing all\nemployees that have left the agency during the previous pay period. This policy is in Chapter IX,\nSection B.\n\n5.     Implement controls to ensure that system owners approve all access to their\n       application in accordance with Surface Mining Policy.\n\n       Response: OSM concurs with this recommendation and offers the following response:\n\n        The OSM Security Directive, attachment II, Chapter IX, Section B, contains policy\nrequiring system owners to approve all access to their application systems. OSM requires that all\nrequests for User ID\xe2\x80\x99s and access privileges be documented via a hardcopy authorization form or\nelectronic request with proper approval by system owners. Before user-id\xe2\x80\x99s generated as a result\nof these requests are activated, DFM must receive a signed \xe2\x80\x9cRules of Behavior\xe2\x80\x9d from the user.\n\nF.     System Log-in\n\nRecommendations:\n\n\n\n\n                                             46\n\x0c                                                                                     APPENDIX 3\n                                                                                     Page 8 of 15\n\n\n 1.    Develop and implement policies and procedures establishing the maximum log-in\n       attempts allowed for it automated information systems in compliance with _,\n       Department of Interior regulations.\n\n       Response: OSM concurs with this recommendation and offers the following response:\n\n         OSM has implemented policy in its Security Directive that establishes the maximum\nunsuccesstil log-in attempts to be three (3) before the user is locked out of the system. However,\nthe SUN computer at DFM is set for five (5) attempts prior to invalidation of a User ID, because\nthis is a standard for the SUN Solaris System. This policy is in Chapter XII, Section D.\n\n2.     Ensure that the systems log-in warning message is the first screen displayed upon\n       initial access and prior to the user being authenticated as a valid system user.\n\n       Response: OSM concurs with the recommendation and offers the following response:\n\n        The hardware and operating system architecture of the systems does not always allow a\nwarning message to be the first screen displayed upon initial access to the system. However,\nOSM will place systems log-in warning message as close to the first screen as the hardware and\nsoftware will allow.\n\nG. Password Settings\n\nRecommendations:\n\n1.     Develop and implement password policies and procedures. In addition, controls to\n       ensure compliance with these policies and procedures should be implemented.\n\n       Response: OSM concurs with the recommendation and offers the following response:\n\n       OSM has included password policy and other access control measures in the Security\n       Directive. The policy requires a minimum of six alphanumeric characters on passwords.\n       The system software has been modified to not accept a password of less than the minimum\n       required characters. This policy is in Chapter XII, Section B of the Security Directive.\n\n2.     Implement a policy requiring system administration personnel to log on to the\n       automated information systems under specific user ID\xe2\x80\x99s.\n\n       Response: OSM concurs with the recommendation and offers the following response:\n\n       The OSM Security Directive, at attachment II, contains policy requiring system\nadministrators to have and use their own unique password when logging into the systems as an\nadministrator. This policy specifically states that system administrators are not to share\n\n                                                 7\n\n\n                                            47\n\x0c                                                                                    APPENDIX 3\n                                                                                    Page 9 of 15\n\n\npasswords. In addition, the policy states that passwords will be changed every 90 days . This\npolicy is in Chapter XII, Section B of the Security Directive.                        .I\n 3.    Evaluate current capabilities and implement procedures to address encryption or\n       other security methods to help prevent powerful system passwords and accounts\n       from being compromised when traveling across a network, such as the wide area\n       network and the internet.\n\n       Response: OSM concurs with the recommendation and offers the following response:\n\n        Upon implementation of the Firewall at DFM during the fall of 1999, encryption software\nwill be installed on client work stations belonging to the various System Administrators within\nthe DFM to provide increased security for their user id\xe2\x80\x99s and passwords during transmittal.\n\nH.     Novel Network Access\n\nRecommendation:\n\n1.     We recommend that the Director, Office of Surface Mining Reclamation and\n       Enforcement, develop policies and procedures to ensure that controls are in place to\n       protect the Novell network operating systems and other system software from\n       unauthorized modification or manipulation.\n\n       Response: OSM concurs with this recommendation and offers the following response:\n\n       1.     OSM has included policy in the Security Directive to ensure that users are not\n              given inappropriate access to computer resources on the Novell network. Users\n              will not be given browse access at the root, and the Security Directive (copy at\n              attachment II), will not allow the use of null passwords. This policy is in Chapter\n              XII, Section D.\n\nI.    User Access Control\n\n      Recommendation:\n\n1.    We recommend that the Director, Office of Surface Mining Reclamation and\n      Enforcement, identify and implement the technical controls necessary to ensure that\n      only authorized users have access to the Novell file servers. The controls should\n      include using the \xe2\x80\x9cSECURE CONSOLE\xe2\x80\x9d command in the autoexec.ncf file,\n      encrypting the \xe2\x80\x9cRCONSOLE\xe2\x80\x9d password and using the \xe2\x80\x9cLock Console\xe2\x80\x9d command.\n\n      Response:      OSM concurs with the recommendation that only authorized users should\n                     have access to the Novell fiIe servers, and offers the following response:\n\n                                                  8\n\n\n\n\n                                             48\n\x0c                                                                                    APPENDIX 3\n                                                                                    Page 10 of 15\n\n\n        1.     The Security Directive will include policy that requires the use of encrypting the\n               \xe2\x80\x9cRCONSOLE\xe2\x80\x9d password. In addition, the policy will also require that \xe2\x80\x9cSECURE\n               CONSOLE\xe2\x80\x9d command in the autoexec.ncf file, and the \xe2\x80\x9cLOCK CONSOLE\xe2\x80\x9d\n               command must be used, unless the computer room is secure, and unauthorized\n               users are not able to gain access to the computer room. This policy is in Chapter\n               XII, Section B.\n\nJ.      Network Protection\n\nRecommendations:\n\n1.      We recommend that the Director, Office of Surface Mining Reclamation and\n        Enforcement, install a firewall system for the Division of Financial Management local\n        area network.\n\n       Response: OSM concurs with this recommendation and offers the following response:\n\n       A firewall is currently being installed at the Division of Financial Management in Denver,\nand in the Headquarters location in Washington, D.C.\n\nSYSTEM SOFTWARE CONTRQLS\n\nIL     System Audit Tools\n\nRecommendations:\n\n1.     Evaluate acquiring systems verification and auditing software.\n\n       Response: OSM concurs with this recommendation and offers the following response:\n\n        OSM will establish a team from its group of Information Technology resources to evaluate\nacquiring systems verification and auditing software. This team will be established during the\nagency-wide IRM Coordinators meeting being conducted in November, 1999.\n\n2.     Implement the systems options available in each of the operating systems to record\n       activities affecting the system.\n\n       Response: OSM concurs with this recommendation and offers the following response:\n\n        Both the SUN and HP computer systems at DFM maintain and retains system logs for a\nperiod of six months. The audit function on both NT and Novell in other locations are enabled.\n\n3.     Implement policies and procedures to ensure that system logs are used and are\n\n                                                  9\n\n\n                                             49\n\x0c                                                                                    APPENDIX 3\n                                                                                    Page 11 of 15\n\n\n        maintained for an appropriate amount of time to provide an adequate audit trail of\n        systems activities and are controlled by personnel independent of the systems access\n        control administration function.\n\n        Response: OSM concurs with this recommendation and offers the following response:\n\n         Both the SUN and HP computer systems at DFM maintain and retains system logs for a\n period of six months. The audit function on both the NT and Novell servers in Washington are\n enabled.\n\n4.      Develop and implement procedures to ensure that periodic reviews of systems logs\n        for unauthorized or inappropriate activities are performed and tbat unauthorized or\n        inappropriate activities are reported to Surface Mining Management.\n\n        Response: OSM concurs with this recommendation and offers the following response:\n\n\n        System administrators/system managers will review logs periodically and report incidents\nin conformance with OSM\xe2\x80\x99s Incident Reporting Procedures. The Incident Reporting Procedures\nare in Chapter XI, Section G of the Security Directive.\n\nL.     System Software Vulnerabilities\n\nRecommendations:\n\n1.     Establish policy and procedures for ensuring that available software updates and\n       service packs are reviewed to identify those that should be implemented to address\n       and applicable systems vulnerability.\n\n       Response: OSM concurs with this recommendation and offers the following response:\n\n        OSM has established policy to ensure that available software updates and service packs\nare reviewed to identify needed software upgrades and new service packs. The DFM Quality\nAssurance Log schedules a monthly task to hardware system managers to check via the Internet\nfor software upgrades and new service packs.\n\n       The system manager, based on their research and needs, will decide on implementing\nsoftware upgrades. This policy is in Chapter XI, Section H of the Security Directive.\n\n2.     Implement procedures to ensure that those updates deemed needed are implemented\n       in a timely manner.\n\n       Response: OSM concurs with this recommendation and offers the following response:\n\n                                                  10\n\n\n                                             50\n\x0c                                                                                       APPENDIX 3\n                                                                                       Page 12 of 15\n\n\n       The DFM Quality Assurance Log schedules a monthly task to hardware system managers\nto check via the Internet for software upgrades and new service packs. The system manager,\nbased on their research and needs, will decide on implementing software upgrades. This policy is\nin Chapter XI, Section H of the Security Directive.\n\nSEPARATION OF DUTIES;\n\nM.      Duties Related to Automated Information Systems\n\nRecommendations:\n\n1.     Implement procedures to ensure tbat personnel who perform access control\n       administration are not the same individuals who review and control systems security\n       logs and systems audit trails.\n\n       Response: OSM concurs with the recommendation and offers the following response:\n\n\n        DFM has procedures in place to ensure that personnel who perform access control\n administration are not the same individuals who review and control systems security logs and\nsystems audit trails. Procedures of this type are handled outside of the particular software system,\nbecause hardware and software providers (Hewlett-Packard, SUN, NOVELL, and NT included)\nestablished access to system security logs, system audit trails, and the ability to create and modify\nuser access to their computer platforms as a function of the System Manager.\n\n        In order to better control these fimctions, DFM has implemented a number of \xe2\x80\x9cchecks and\nbalances\xe2\x80\x9d to ensure integrity. The establishment of a new user or the modification of an existing\nuser must be requested by the users supervisor and approved by the system owner. Then, DFM\xe2\x80\x99s\nInformation Systems Security Officer coordinates with the appropriate System Manager to create\nor modify the user\xe2\x80\x99s access to the system. Biannually, the system owners reviews a list of\nregistered users and their access levels to confirm that they are valid. This creates both a\n\xe2\x80\x9cseparation of duties\xe2\x80\x9d between those individuals who authorize access and those individuals who\nenable access to DFM systems and provides for a continuing re-evaluation of access to DFM\nsystems.\n\n        With regard to the review of control systems security logs, system software monitors\nunauthorized access attempts to DFM systems, and automatically disables a user ID after three to\nfive access attempts, depending on the system specifications. This software also maintain logs of\nsuccessful access to DFM systems. Logs are also reviewed by the system owner and the\nInformation Systems Security Officer periodically to determine if unauthorized access attempts to\nDFM systems are being attempted.\n\n       DFM defines systems audit trails as database logs. These database logs are controlled by\n\n                                                   11\n\n\n\n                                              51\n\x0c                                                                                         APPENDIX 3\n                                                                                         Page 13 of 15\n\n\nthe individual database administrators. Database logs are used by DFM for two purposes: (1) to\nidentify invalid or inappropriate changes to data within DFM systems, and (2) to recover data\nwhenever a hardware or software error occurs. Because these logs are controlled by the-database\nadministrator and not the System Manager, the requirement for separation of duties is satisfied.\n\n2.      Implement controls to ensure that application programmers are not responsible for\n        moving changed software into the production environment and do not have access to\n        update/change production data.\n\n        Response: OSM concurs with this recommendation and offers the following response:\n\n        DFM\xe2\x80\x99s computer programmers have the capability to check production software in and\nout of the application so&are libraries and to modify production data. This is a very typical\nprocess in small data processing shops. DFM does not have funding or staffing levels to maintain\nindependent software librarians, security officers, security maintenance personnel and\nprogrammers who only work on test areas and do not have access to production areas.\n\n        Change control procedures are used by the system owner and technical staff in requesting\nand completing changes (STR and DSR). Programmers are assigned tasks, the systems owner\ntests the programmers modifications, and the programmer schedules and implements the\nmodifications after a successful test and approval by the system owner. All program\nmodifications are recorded via system logs, table/file date stamping, and in the DSWSTR System.\n\n         Quality and internal controls are completed via external reconciliation, quality assurance,\ninternal control reports, and via separation of functional duties to preclude a transaction from\nbeing completed from beginning to end by one person.\n\n\n\nN.     Change Management Controls\n\nRecommendations:\n\n1.     Enforce Surface Mining\xe2\x80\x99s written policies and procedures to ensure that all\n       application programs and modifications are properly authorized, tested, and\n       approved and that access to and distribution of programs is controlled.\n\n       Response: OSM concurs with this recommendation and offers the following response:\n\n       OSM will enforce its policies and procedures to ensure that all application program\nmodifications are properly authorized, tested, and approved and that access to and distribution of\nprograms are controlled. This policy is in Chapter XII, Section H and Chapter IV, Section D of\nthe Security Directive.\n\n                                                   12\n\n\n                                              52\n\x0c                                                                                       APPENDIX 3\n                                                                                       Page 14 of 15\n\n\n2.      Establish the process of correcting applications deticiencies as a high priority to\n        reduce manual processes.\n\n        Response: OSM concurs with this recommendation and offers the following response:\n\n        DFM has a process for prioritization of System Trouble Reports (STR) and Data System\nRequest (DSR). All requests for changes to the systems are recorded on these forms, STR\xe2\x80\x99s are\ncorrected immediately. DSR\xe2\x80\x99s are generated by users to improve reports, develop new reports,\ndevelop new modules, etc. We encourage users to prepare a DSR for all desired changes so that\nsystem owners can maintain an inventory of requested changes and prioritize the top five requests,\nOur current inventory is larger because of the resource drain by Year 2000, standard general\nledger and budget object class changes.\n\n       The DFM Quality Assurance Log has an event scheduled every two weeks that requires a\nreview and prioritization of STRDSR. This process to correct deficiencies will be established as\na high priority.\n\n3.     Review Change request timely to ensure that user requirements are supported in the\n       applications.\n\n       Response: OSM concurs with this recommendation and offers the following response:\n\n       The DFM Quality Assurance Log has an event scheduled every two weeks that requires a\nreview and prioritization of STRDSR. This process to correct deficiencies will be established as\na high priority. OSM will provide timely review of change request to ensure that user\nrequirements are supported in a timely manner.\n\nC\nSERVICE\n  O N T I N U I T Y\n\n0.     Business Continuity of Operations\n\n       Recommendations:\n\n1.      Ensure that a contingency plan is developed for critical telecommunications links.\n\n       Response: OSM concurs with the recommendation and offers the following response:\n\n        OSM has developed a Continuity of Operations Plan (copy at attachment VI), which\ndocuments the re-establishment of critical telecommunications services, including\ntelecommunications data links, within \xe2\x80\x9cAppendix F\xe2\x80\x9d, Telecommunications For\nexample, DOINET, FTS2000 (AT&T), FTS2001 (MCI-Worldcorn), and the General Services\nAdministration\xe2\x80\x99s local exchange carriers\xe2\x80\x99 service contracts stipulate loss-of-service recovery time\nperiods by the carriers and the capability to reroute service-outage access.\n\n                                                   13\n\n\n\n                                              53\n\x0c                                                                                      APPENDIX 3\n                                                                                      Page 15 of 15\n\n\n\n\n2.      Ensure that contingency plans for telecommunications links, facilities, and data\n        center are finalized and tested and that test results are used to update these\xe2\x80\x99plans.\n        Additionally, assurance should be provided that personnel are trained to implement\n        the plans.\n\n\n        Response: OSM concurs with the recommendation and offers the following response:\n\n        The OSM Continuity of Operations Plan documents both severity of operational outages\nand the respective operational contingency site locations. For example, outages affecting only the\nSouth Interior Building are to be operationally restored from the Main Interior Building in\nWashington, D.C. Personnel training, test-plan reviews, test-execution, and lessons learned will\nbe incorporated and updates will be addressed annually.\n\n3.     Provide for a secure off-site storage facility that is a least 1 mile from the computer\n       facility.\n\n       Response: OSM concurs with this recommendation and offers the following response:\n\n         OSM Headquarters, in Washington, D.C., has established the Appalachian Regional\nCoordinating Center in Greentree, Pennsylvania, a distance of more than l-mile as the secure off-\nsite storage location.\n\nP.     Incident Response Plan and Team\n\nRecommendation:\n\n1.     We recommend that the Director, Office of Surface Mining Reclamation and\n       Enforcement, develop and implement a formal incident response plan and team.\n\n       Response: OSM concurs with this recommendation and offers the following response:\n\n        OSM is included in the letter of agreement between the Department of the Interior and the\nFederal Computer Incident Response Capability Program. A copy of this Letter of Agreement is\nat attachment V. This Letter of Agreement provides Department-wide protection for dealing with\ncriminal activities that pose a threat to critical Federal Information Systems.\n\n\n\n\n                                                  14\n\n\n\n                                             54\n\x0c                                                                            APPENDIX 4\n\n\n         STATUS OF AUDIT REPORT RECOMMENDATIONS                                      ..\n\nFinding/Recommendation\n        Reference              Status                       Actions Reauired\n\n           A.1             Management           Provide an action plan that addresses the\n                           concurs;             risk assessments for the four mission\n                           additional           critical systems that were not included in\n                           information          the response, and include target dates\n                           needed.              and titles of the officials responsible for\n                                                implementation.\n\nA.2,A.3, B.l,B.2, C.l,     Management           Provide target dates and titles of the\nC.2, C.3,D.l,E.l,E.2,      concurs;             officials responsible for implementation.\nE.3, E.4, ES, F.l, F.2,    additional\nG.l, G.2, G.3,H.l,I.l,     information\nJ.l, K.4, L.l, L.2,N.l,    needed.\nN.3, and 0.1\n\n           B.3             Resolved.            We agree with the actions taken.\n\n           K.1             Resolved; not        No further response to the Office of\n                           implemented.         Inspector General is required. The\n                                                recommendation will be forwarded to\n                                                the Assistant Secretary for Policy,\n                                                Management and Budget for tracking of\n                                                implementation.\n\nK.2, M.l? M.2, N.2, 0.2,   Implemented.         No further response is required.\n0.3, and P.l\n\n           K.3             Management           Provide an action plan for developing\n                           concurs;             and implementing policies and\n                           additional           procedures to ensure that the system logs\n                           information          are used and that the logs are controlled\n                           needed.              by personnel independent of the system\n                                                access control administration function.\n                                                The plan should include a target date and\n                                                title of the official responsible for\n                                                implementation.\n\n\n\n\n                                           55\n\x0c                  ILLEGAL OR WASTEFUL ACTIVITIES\n                      SHOULD BE REPORTED TO\n                 THE OFFICE OF INSPECTOR GENERAL\n\n\n                    Internet Complaint Form Address\n\n\n                  http://www.oig.doi.gov/hotline_form.html\n\n\n                  Within the Continental United States\n\nU.S. Department of the Interior                        Our 24-hour\nOffice of Inspector General                            Telephone HOTLINE\n1849 C Street, N.W.                                    l-800-424-5081 or\nMail Stop 5341 - MIB                                   (202) 208-5300\nWashington, D.C. 20240-0001\n                                                       TDD for hearing impaired\n                                                       (202) 2082420\n\n\n\n                  Outside the Continental United States\n\n                                    Caribbean Region\n\nU.S. Department of the Interior                        (703) 235-922 1\nOffice of Inspector General\nEastern Division - Investigations\n4040 Fairfax Drive\nSuite 303\nArlington, Virginia 22203\n\n                                     Pacific Region\n\nU.S. Department of the Interior                        (67 1) 647-6060\nOffice of Inspector General\nGuam Field Office\n4 15 Chalan San Antonio\nBaltej Pavilion, Suite 306\nAgana, Guam 96911\n\x0cJ\n                                       d-\n                                        L\nbm\n\n\n\n\n     U.S. Department of the Interior\n     Office of Inspector General\n     1849 C Street, NW\n     Mail Stop 5341- MIB\n     Washington, D.C. 20240-000 1\n\n     Toll Free Number\n           l-800-424-508   I\n\n\n     FTSKommercial Numbers\n         (202) 208-5300\n         TDD (202) 208-2420\n\x0c'